DRUPAL-CONTRIB-2026-021

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/file_access_fix/DRUPAL-CONTRIB-2026-021.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-021

Aliases

CVE-2026-3526

Published

2026-03-04T17:56:18Z

Modified

2026-03-04T19:02:24.485188Z

Summary

[none]

Details

This module moves files to and from private storage depending on the access of its owning entities.

The module does not always validate the access logic correctly, resulting in files attached to an entity not being protected in certain circumstances.

This vulnerability is mitigated by the fact that saving an entity a second time resolves the issue.

References

https://www.drupal.org/sa-contrib-2026-021

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/file_access_fix

Package

Name: drupal/file_access_fix
Purl: pkg:composer/drupal/file_access_fix

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.2.0

Database specific

{
    "constraint": "<1.2.0"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/file_access_fix/DRUPAL-CONTRIB-2026-021.json"

affected_versions

"<1.2.0"