Incorrect Authorization in Drupal File Access Fix Affects Security
CVE-2026-3526

Currently unrated

Key Information:

Vendor: Drupal
Status: File Access Fix (deprecated)
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-3526?

An incorrect authorization vulnerability exists in the deprecated Drupal File Access Fix, enabling potential forceful browsing. This flaw can be exploited by attackers to access restricted files without proper authorization, compromising the integrity of sensitive data. The affected versions span from 0.0.0 up to but not including 1.2.0, emphasizing the need for users to upgrade to secure their applications against unauthorized access.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

File Access Fix (deprecated) 0.0.0 < 1.2.0

References

https://www.drupal.org/sa-contrib-2026-021

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 4, 2026

Credit

Pierre Rudloff (prudloff)

Merlin Axel Rutz (geek-merlin)

Damien McKenna (damienmckenna)

Greg Knaddison (greggles)

Juraj Nemec (poker10)

JSON

Drupal