CVE-2026-1556 is an information disclosure vulnerability classified under CWE-200, affecting the Drupal File (Field) Paths module version 7.x-1.0 on Drupal 7.x platforms prior to 7.1.3. The vulnerability stems from the way the module processes file URIs when handling file uploads that result in filename collisions. Specifically, when an authenticated user uploads a file with a name that collides with an existing private file, the system may incorrectly assign the file URI. This misassignment causes hook_node_insert() consumers, such as email attachment modules, to receive incorrect file URIs, effectively bypassing the normal access control mechanisms that protect private files. As a result, an attacker with authenticated access can access or disclose other users' private files without proper authorization. The vulnerability does not require elevated privileges beyond authentication, nor does it require user interaction, making it easier to exploit in environments where user registration or login is possible. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and limited confidentiality impact (VC:L), resulting in a base score of 6.9 (medium severity). There are no known exploits in the wild at this time, but the vulnerability poses a significant risk to confidentiality of sensitive data stored in Drupal sites using the affected module. The issue was publicly disclosed on March 26, 2026, and users are advised to upgrade to version 7.1.3 or later where the vulnerability is fixed.

The primary impact of CVE-2026-1556 is unauthorized disclosure of sensitive information stored as private files within Drupal sites using the vulnerable File (Field) Paths module. This can lead to leakage of confidential user data, internal documents, or other protected content, potentially causing privacy violations, regulatory non-compliance, and reputational damage. Since the vulnerability can be exploited by any authenticated user without elevated privileges or user interaction, it increases the risk of insider threats or abuse by compromised accounts. Organizations relying on Drupal 7.x with this module may face data breaches that undermine trust and expose them to legal liabilities. The scope of affected systems is limited to Drupal 7.x sites using the vulnerable module version, but given Drupal’s widespread use in government, education, and enterprise sectors, the impact can be significant. Availability and integrity are not directly affected, but confidentiality breaches alone can have serious consequences depending on the nature of the exposed files.

To mitigate CVE-2026-1556, organizations should immediately upgrade the Drupal File (Field) Paths module to version 7.1.3 or later where the vulnerability is patched. If upgrading is not immediately possible, administrators should implement strict access controls on private file directories at the web server level to prevent unauthorized file access. Review and restrict file upload permissions to trusted users only, and monitor file upload activities for suspicious filename collisions or anomalies. Disable or carefully audit any hook_node_insert() consumers that handle file URIs, such as email attachment modules, to ensure they do not inadvertently expose private files. Employ logging and alerting on file access events to detect potential exploitation attempts. Additionally, consider isolating sensitive files outside the web root or using alternative secure file storage mechanisms. Regularly audit Drupal modules and dependencies for updates and security advisories to maintain a secure environment.