Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2026-June-10
Security risk:
Vulnerability:
Access bypass
Affected versions:
<4.0.6
CVE IDs:
CVE-2026-11909
Description:
The Examples for Developers project aims to provide high-quality, well-documented API examples for a broad range of Drupal core functionality.
The "Read from a file" feature implemented by the file_example submodule can be used to expose any file that PHP can access. Therefore, the file_example sub-module is being removed from Examples for Developers until a version demonstrating file security best practices can be added back in the future. Developers who based a new module on this example should review their code for an access bypass.
Solution:
Any site with the file_example submodule installed should uninstall it immediately. Then, install the latest version of Examples for Developers:
- If you are using Examples for Developers 4.0.x, upgrade to Examples for Developers 4.0.6. Developers who based a new module on this example should review their code for an access bypass.
Reported By:
- Pierre Rudloff (prudloff) of the Drupal Security Team
Fixed By:
- Alberto Paderno (avpaderno)
- Pierre Rudloff (prudloff) of the Drupal Security Team
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
