Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
CVE-2026-1556: Drupal 7: Attacker can access private user files
CVE-2026-1556
Summary
Authenticated users can access private files of other users due to a weakness in how Drupal 7 handles file paths. This could allow an attacker to bypass access controls and view files they shouldn't be able to see. Update to version 7.1.3 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| deciphered | filefield_paths |
< 7.x-1.3 cpe:2.3:a:deciphered:filefield_paths:*:*:*:*:*:drupal:*:* |
Original title
Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private fil...
Original description
Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.
nvd CVSS4.0
6.9
Vulnerability type
CWE-200
Information Exposure
Published: 26 Mar 2026 · Updated: 15 Jun 2026 · First seen: 26 Mar 2026