CVE-2026-1556

Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.

CVSS

No CVSS.

References

Link	Resource
https://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation
https://www.herodevs.com/vulnerability-directory/cve-2026-1556

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-26 22:16

Updated : 2026-03-30 13:26

NVD link : CVE-2026-1556

Mitre link : CVE-2026-1556

CVE.ORG link : CVE-2026-1556

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2026-1556", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "mlhess@drupal.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-26T22:16:27.843", "references": [{"url": "https://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation", "source": "mlhess@drupal.org"}, {"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-1556", "source": "mlhess@drupal.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "mlhess@drupal.org", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users\u2019 private files via filename\u2011collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files."}, {"lang": "es", "value": "Revelaci\u00f3n de informaci\u00f3n en el procesamiento de URI de archivo de Rutas de Archivo (Campo) en Drupal File (Field) Paths 7.x anterior a 7.1.3 en Drupal 7.x permite a usuarios autenticados revelar archivos privados de otros usuarios mediante cargas por colisi\u00f3n de nombres de archivo. Esto puede causar que consumidores de hook_node_insert() (por ejemplo, m\u00f3dulos de adjuntos de correo electr\u00f3nico) reciban la URI de archivo incorrecta, eludiendo los controles de acceso normales en archivos privados."}], "lastModified": "2026-03-30T13:26:50.827", "sourceIdentifier": "mlhess@drupal.org"}

CVE-2026-1556

JSON object

Attach tags to CVE-2026-1556

Attach tags to `CVE-2026-1556`