{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3526", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T16:41:54.347Z", "datePublished": "2026-03-26T20:02:55.103Z", "dateUpdated": "2026-03-27T18:17:51.547Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:02:55.103Z"}, "title": "File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021", "datePublic": "2026-03-04T17:56:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"vendor": "Drupal", "product": "File Access Fix (deprecated)", "collectionURL": "https://www.drupal.org/project/file_access_fix", "repo": "https://git.drupalcode.org/project/file_access_fix", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.<p>This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-021"}], "credits": [{"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "finder"}, {"lang": "en", "value": "Merlin Axel Rutz (geek-merlin)", "type": "remediation developer"}, {"lang": "en", "value": "Damien McKenna (damienmckenna)", "type": "coordinator"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T18:17:31.182154Z", "id": "CVE-2026-3526", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:17:51.547Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3526", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T18:17:31.182154Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:16:47.815Z"}}], "cna": {"title": "File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Pierre Rudloff (prudloff)"}, {"lang": "en", "type": "remediation developer", "value": "Merlin Axel Rutz (geek-merlin)"}, {"lang": "en", "type": "coordinator", "value": "Damien McKenna (damienmckenna)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/file_access_fix", "vendor": "Drupal", "product": "File Access Fix (deprecated)", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.2.0", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/file_access_fix", "defaultStatus": "unaffected"}], "datePublic": "2026-03-04T17:56:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-021"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.<p>This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:02:55.103Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3526", "state": "PUBLISHED", "dateUpdated": "2026-03-27T18:17:51.547Z", "dateReserved": "2026-03-04T16:41:54.347Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-26T20:02:55.103Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:geeks4change:file_access_fix:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "FE4D1759-491C-4313-9B83-1900F72F5730", "versionEndExcluding": "8.x-1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en Drupal File Access Fix (obsoleto) permite la navegaci\u00f3n forzada. Este problema afecta a File Access Fix (obsoleto): desde 0.0.0 antes de 1.2.0."}], "id": "CVE-2026-3526", "lastModified": "2026-03-31T20:33:47.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T21:17:08.600", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-021"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "File Access Fix (deprecated)", "source": "cna", "vendor": "Drupal"}, "product": "file_access_fix_(deprecated)", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-04-01T07:09:17.573918+00:00", "value": {"mitigation_remediation": ["Upgrade the File Access Fix module to version 1.2.0 or later.", "If an upgrade is not possible, disable or uninstall the module immediately.", "Verify that the module is no longer active on the site.", "Test that restricted files are no longer publicly accessible.", "Keep Drupal core and all modules regularly updated to avoid similar issues."], "summary": {"action": "Apply Patch", "impact": "Unauthorized File Access"}, "threat_synthesis": {"affected_systems": "The issue affects Drupal sites that have the File Access Fix module installed in any release preceding version\u202f1.2.0, including all releases from 0.0.0 through 1.1.x. The module is marked as deprecated, but any system still running these versions remains vulnerable.", "description_and_impact": "This vulnerability arises from an insufficient authorization check in Drupal\u2019s File Access Fix module, allowing forced browsing of files. Attackers can request arbitrary files that the site should protect, potentially exposing configuration data, source code, or other sensitive content. The weakness is catalogued as CWE\u2011863, reflecting a failure to enforce proper authorization.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1\u202f% suggests low current exploitation likelihood; it is not listed in the CISA KEV catalog. Based on the description, it is inferred that the exploit can be carried out remotely via HTTP requests to the Drupal site, requiring no special privileges beyond being able to reach the affected module through the web interface."}}}}, "created": "2026-03-27T08:32:18.100073+00:00", "updated": "2026-04-02T07:56:30.708339+00:00", "vendors": ["drupal", "drupal$PRODUCT$file_access_fix_(deprecated)"]}