CVE-2026-1556
Received Received - Intake
Information Disclosure in Drupal 7.x File (Field) Paths Module

Publication date: 2026-03-26

Last updated on: 2026-04-02

Assigner: Drupal.org

Description
Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1556
EUVD
EUVD-2026-16422
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
deciphered filefield_paths to 7.x-1.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an information disclosure issue in Drupal 7.x versions prior to 7.1.3 related to the processing of file URIs in File (Field) Paths. Authenticated users can exploit filename-collision uploads to access other users' private files. This happens because the system may provide incorrect file URIs to certain consumers, such as email attachment modules, bypassing the normal access controls that protect private files.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of private files belonging to other users. This means that sensitive or confidential information stored in private files could be exposed to authenticated users who should not have access, potentially leading to privacy breaches or data leaks.

Compliance Impact

This vulnerability allows authenticated users to disclose other users’ private files due to improper file URI processing and filename-collision uploads in Drupal 7.x prior to 7.1.3. Such unauthorized disclosure of private files can lead to violations of data protection and privacy requirements mandated by standards like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

By bypassing normal access controls on private files, this vulnerability increases the risk of unauthorized data exposure, potentially resulting in non-compliance with regulations that mandate confidentiality and integrity of user data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1556. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart