{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3525", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T16:41:52.841Z", "datePublished": "2026-03-26T20:02:25.154Z", "dateUpdated": "2026-03-27T18:48:21.916Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:02:25.154Z"}, "title": "File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020", "datePublic": "2026-03-04T17:54:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"vendor": "Drupal", "product": "File Access Fix (deprecated)", "collectionURL": "https://www.drupal.org/project/file_access_fix", "repo": "https://git.drupalcode.org/project/file_access_fix", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.<p>This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-020"}], "credits": [{"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "finder"}, {"lang": "en", "value": "Merlin Axel Rutz (geek-merlin)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T18:47:25.723873Z", "id": "CVE-2026-3525", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:48:21.916Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3525", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T16:41:52.841Z", "datePublished": "2026-03-26T20:02:25.154Z", "dateUpdated": "2026-03-27T18:48:21.916Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:02:25.154Z"}, "title": "File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020", "datePublic": "2026-03-04T17:54:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"vendor": "Drupal", "product": "File Access Fix (deprecated)", "collectionURL": "https://www.drupal.org/project/file_access_fix", "repo": "https://git.drupalcode.org/project/file_access_fix", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.<p>This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-020"}], "credits": [{"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "finder"}, {"lang": "en", "value": "Merlin Axel Rutz (geek-merlin)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3525", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T18:47:25.723873Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:46:12.972Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en Drupal File Access Fix (obsoleto) permite la navegaci\u00f3n forzada. Este problema afecta a File Access Fix (obsoleto): desde 0.0.0 antes de 1.2.0."}], "id": "CVE-2026-3525", "lastModified": "2026-03-30T13:26:50.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T21:17:08.437", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-020"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "File Access Fix (deprecated)", "source": "cna", "vendor": "Drupal"}, "product": "file_access_fix_(deprecated)", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-27T20:25:15.002454+00:00", "value": {"mitigation_remediation": ["Upgrade the File Access Fix module to version 1.2.0 or later, which removes the incorrect authorization check.", "Disable or uninstall the deprecated module if it cannot be updated immediately.", "Configure Drupal\u2019s file access permissions to deny access to sensitive directories.", "Review access logs for abnormal file request patterns."], "summary": {"action": "Apply Patch", "impact": "Forceful Browsing"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Drupal's File Access Fix (deprecated) module versions from 0.0.0 up through 1.1.9. The module is marked deprecated and was in use on many Drupal installations prior to the release of the 1.2.0 fix. No other vendors or products are listed.", "description_and_impact": "Drupal's File Access Fix (deprecated) module contains an incorrect Authorization check that permits an attacker to forcefully retrieve any file accessible through the webserver. This flaw is classified as CWE-863 and enables forceful browsing, potentially exposing sensitive configuration or content files and compromising site confidentiality.", "risk_and_exploitability": "With a CVSS score of 5.3 and an EPSS below 1%, the risk profile is moderate and exploitation likelihood remains low. The flaw was not referenced in CISA\u2019s KEV catalog. An attacker can exploit it remotely by crafting a request to a file path that would otherwise be restricted, as long as the Drupal site is reachable. Successful exploitation could lead to the disclosure of privileged files and data sensitive to the organization."}}}}, "created": "2026-03-27T08:32:19.008448+00:00", "updated": "2026-03-27T20:26:09.166146+00:00", "vendors": ["drupal", "drupal$PRODUCT$file_access_fix_(deprecated)"]}