DRUPAL-CONTRIB-2026-020

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/file_access_fix/DRUPAL-CONTRIB-2026-020.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-020

Aliases

CVE-2026-3525

Published

2026-03-04T17:54:27Z

Modified

2026-03-04T19:01:53.369139Z

Summary

[none]

Details

This module moves files to and from private storage depending on the access of its owning entities.
The module does not sufficiently incorporate the results of hook_file_download when a custom or contrib module implements that hook leading to access bypass.

References

https://www.drupal.org/sa-contrib-2026-020

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/file_access_fix

Package

Name: drupal/file_access_fix
Purl: pkg:composer/drupal/file_access_fix

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.2.0

Database specific

{
    "constraint": "<1.2.0"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/file_access_fix/DRUPAL-CONTRIB-2026-020.json"

affected_versions

"<1.2.0"