CVE-2026-1556: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Drupal Drupal File (Field) Paths
CVE-2026-1556 is an information disclosure vulnerability in Drupal File (Field) Paths 7. x prior to version 7. 1. 3. It allows authenticated users to access other users' private files by exploiting filename-collision uploads. This vulnerability affects the file URI processing, causing certain consumers of hook_node_insert()—such as email attachment modules—to receive incorrect file URIs, thereby bypassing normal access controls on private files. The vulnerability has a medium severity with a CVSS score of 6. 9. No official patch or remediation information is provided in the available data.
AI Analysis
Technical Summary
This vulnerability in Drupal File (Field) Paths 7.x (versions prior to 7.1.3) involves improper handling of file URIs during filename-collision uploads. Authenticated users can exploit this flaw to disclose private files belonging to other users. The issue arises because hook_node_insert() consumers may receive incorrect file URIs, which bypasses the intended access control mechanisms on private files. This can lead to unauthorized exposure of sensitive information.
Potential Impact
An authenticated user can access private files of other users without proper authorization due to incorrect file URI processing. This results in exposure of sensitive information that should be protected by access controls. The impact is limited to information disclosure and requires user authentication.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerability affects versions prior to 7.1.3, upgrading to version 7.1.3 or later may address the issue if such a version exists. Until official guidance or patches are available, restrict authenticated user permissions to minimize risk.
CVE-2026-1556: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Drupal Drupal File (Field) Paths
Description
CVE-2026-1556 is an information disclosure vulnerability in Drupal File (Field) Paths 7. x prior to version 7. 1. 3. It allows authenticated users to access other users' private files by exploiting filename-collision uploads. This vulnerability affects the file URI processing, causing certain consumers of hook_node_insert()—such as email attachment modules—to receive incorrect file URIs, thereby bypassing normal access controls on private files. The vulnerability has a medium severity with a CVSS score of 6. 9. No official patch or remediation information is provided in the available data.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Drupal File (Field) Paths 7.x (versions prior to 7.1.3) involves improper handling of file URIs during filename-collision uploads. Authenticated users can exploit this flaw to disclose private files belonging to other users. The issue arises because hook_node_insert() consumers may receive incorrect file URIs, which bypasses the intended access control mechanisms on private files. This can lead to unauthorized exposure of sensitive information.
Potential Impact
An authenticated user can access private files of other users without proper authorization due to incorrect file URI processing. This results in exposure of sensitive information that should be protected by access controls. The impact is limited to information disclosure and requires user authentication.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerability affects versions prior to 7.1.3, upgrading to version 7.1.3 or later may address the issue if such a version exists. Until official guidance or patches are available, restrict authenticated user permissions to minimize risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- drupal
- Date Reserved
- 2026-01-28T17:20:34.800Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c5a54b3c064ed76fcfc818
Added to database: 3/26/2026, 9:29:47 PM
Last enriched: 4/3/2026, 1:34:16 PM
Last updated: 5/11/2026, 6:50:29 AM
Views: 40
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.