Incorrect Authorization in Drupal File Access Fix (Deprecated)
CVE-2026-3525

Currently unrated

Key Information:

Vendor: Drupal
Status: File Access Fix (deprecated)
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-3525?

An incorrect authorization vulnerability in the deprecated Drupal File Access Fix allows attackers to perform forceful browsing, potentially exposing sensitive information. This flaw affects versions from 0.0.0 up to, but not including, 1.2.0. Users should consider upgrading to secure their installations against unauthorized access.

Affected Version(s)

File Access Fix (deprecated) 0.0.0 < 1.2.0

References

https://www.drupal.org/sa-contrib-2026-020

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 4, 2026

Credit

Pierre Rudloff (prudloff)

Merlin Axel Rutz (geek-merlin)

Greg Knaddison (greggles)

Juraj Nemec (poker10)

CVE-2026-3525 Data

JSON