Incorrect Authorization in Drupal File Access Fix Affects Security
CVE-2026-3526

Currently unrated

Key Information:

Vendor: Drupal
Status: File Access Fix (deprecated)
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-3526?

An incorrect authorization vulnerability exists in the deprecated Drupal File Access Fix, enabling potential forceful browsing. This flaw can be exploited by attackers to access restricted files without proper authorization, compromising the integrity of sensitive data. The affected versions span from 0.0.0 up to but not including 1.2.0, emphasizing the need for users to upgrade to secure their applications against unauthorized access.

Affected Version(s)

File Access Fix (deprecated) 0.0.0 < 1.2.0

References

https://www.drupal.org/sa-contrib-2026-021

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 4, 2026

Credit

Pierre Rudloff (prudloff)

Merlin Axel Rutz (geek-merlin)

Damien McKenna (damienmckenna)

Greg Knaddison (greggles)

Juraj Nemec (poker10)

CVE-2026-3526 Data

JSON