{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3526", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T16:41:54.347Z", "datePublished": "2026-03-26T20:02:55.103Z", "dateUpdated": "2026-03-27T18:17:51.547Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:02:55.103Z"}, "title": "File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021", "datePublic": "2026-03-04T17:56:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"vendor": "Drupal", "product": "File Access Fix (deprecated)", "collectionURL": "https://www.drupal.org/project/file_access_fix", "repo": "https://git.drupalcode.org/project/file_access_fix", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.<p>This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-021"}], "credits": [{"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "finder"}, {"lang": "en", "value": "Merlin Axel Rutz (geek-merlin)", "type": "remediation developer"}, {"lang": "en", "value": "Damien McKenna (damienmckenna)", "type": "coordinator"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T18:17:31.182154Z", "id": "CVE-2026-3526", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:17:51.547Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3526", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T18:17:31.182154Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:16:47.815Z"}}], "cna": {"title": "File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Pierre Rudloff (prudloff)"}, {"lang": "en", "type": "remediation developer", "value": "Merlin Axel Rutz (geek-merlin)"}, {"lang": "en", "type": "coordinator", "value": "Damien McKenna (damienmckenna)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/file_access_fix", "vendor": "Drupal", "product": "File Access Fix (deprecated)", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.2.0", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/file_access_fix", "defaultStatus": "unaffected"}], "datePublic": "2026-03-04T17:56:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-021"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.<p>This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:02:55.103Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3526", "state": "PUBLISHED", "dateUpdated": "2026-03-27T18:17:51.547Z", "dateReserved": "2026-03-04T16:41:54.347Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-26T20:02:55.103Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:geeks4change:file_access_fix:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "FE4D1759-491C-4313-9B83-1900F72F5730", "versionEndExcluding": "8.x-1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en Drupal File Access Fix (obsoleto) permite la navegaci\u00f3n forzada. Este problema afecta a File Access Fix (obsoleto): desde 0.0.0 antes de 1.2.0."}], "id": "CVE-2026-3526", "lastModified": "2026-03-31T20:33:47.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T21:17:08.600", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-021"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "File Access Fix (deprecated)", "source": "cna", "vendor": "Drupal"}, "product": "file_access_fix_(deprecated)", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-27T20:24:56.439134+00:00", "value": {"mitigation_remediation": ["Upgrade the Drupal File Access Fix module to version 1.2.0 or later", "If an immediate upgrade is not possible, consider temporarily disabling the module or restricting access to the affected file directories at the web\u2011server level", "After applying the patch or restriction, verify that attempts to access previously protected files fail, ensuring the authorization enforcement is restored"], "summary": {"action": "Apply patch", "impact": "Unauthorized File Access"}, "threat_synthesis": {"affected_systems": "Drupal\u2019s File Access Fix (deprecated) module is affected, specifically all releases before version 1.2.0. The module is available for Drupal installations that rely on this code to control file visibility, so any site deploying the module prior to the stated version is at risk.", "description_and_impact": "An incorrect authorization check in the Drupal File Access Fix (deprecated) module permits forceful browsing of files that should normally be protected. This vulnerability enables an attacker to read restricted files, which can lead to disclosure of sensitive data or further exploitation. The weakness is classed as CWE\u2011863, representing unauthorized access to a protected resource.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests low probability of exploitation in the wild. This vulnerability is not listed in the CISA KEV catalog. Attackers would most likely exploit the flaw by sending crafted HTTP requests that target protected file paths, leveraging the module\u2019s flawed access control to obtain files. Although the description does not detail the exact entry points, the forceful browsing terminology implies web\u2011based, remote exploitation where an unauthenticated or low\u2011privilege user could construct URLs to read arbitrary files."}}}}, "created": "2026-03-27T08:32:18.100073+00:00", "updated": "2026-03-27T20:26:08.037375+00:00", "vendors": ["drupal", "drupal$PRODUCT$file_access_fix_(deprecated)"]}