File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021

Project:

File Access Fix (deprecated)

Date:

2026-March-04

Security risk:

Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability:

Access bypass

Affected versions:

<1.2.0

CVE IDs:

CVE-2026-3526

Description:

This module moves files to and from private storage depending on the access of its owning entities.

The module does not always validate the access logic correctly, resulting in files attached to an entity not being protected in certain circumstances.

This vulnerability is mitigated by the fact that saving an entity a second time resolves the issue.

Solution:

Install the latest version:

If you use the File access fix module, upgrade to File access fix 8.x-1.2

Reported By:

Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By:

Merlin Axel Rutz (geek-merlin)

Coordinated By:

Damien McKenna (damienmckenna) of the Drupal Security Team
Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Contribution record

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

Contributing organizations for this advisory

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.

File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community