Information disclosure via file URI overwrite in File (Field) Paths

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Description

Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.

Basic Information

ID CVE-2026-1556

Source drupal

Published Mar 26, 2026 at 21:14

Modified Mar 27, 2026 at 19:39

Affected Product

Vendor Drupal

Product Drupal File (Field) Paths

Version 7.x-1.0

Affected Versions Drupal Drupal File (Field) Paths 7.x-1.0

CWE Classification

CWE-200

References

{
    "lastseen": "",
    "description": "Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users\u2019 private files via filename\u2011collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.",
    "published": "2026-03-26T21:14:20.549Z",
    "modified": "2026-03-27T19:39:20.961Z",
    "type": "cve",
    "title": "Information disclosure via file URI overwrite in File (Field) Paths",
    "source": "drupal",
    "references": "https://www.herodevs.com/vulnerability-directory/cve-2026-1556\nhttps://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation",
    "id": "CVE-2026-1556",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "Drupal Drupal File (Field) Paths 7.x-1.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Drupal File (Field) Paths",
    "version": "7.x-1.0",
    "vendor": "Drupal",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Information disclosure via file URI overwrite in File (Field) Paths_CVE-2026-1556