View online: https://www.drupal.org/sa-contrib-2026-020 Project: File Access Fix (deprecated) [1] Date: 2026-March-04 Security risk: *Moderately critical* 11 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass Affected versions: <1.2.0 CVE IDs: CVE-2026-3525 Description: This module moves files to and from private storage depending on the access of its owning entities. The module does not sufficiently incorporate the results of hook_file_download when a custom or contrib module implements that hook leading to access bypass. Solution: Install the latest version: * If you use the File access fix module, upgrade to File access fix 8.x-1.2 [3] Reported By: * Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security Team Fixed By: * Merlin Axel Rutz (geek-merlin) [5] Coordinated By: * Greg Knaddison (greggles) [6] of the Drupal Security Team * Juraj Nemec (poker10) [7] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [8] [1] https://www.drupal.org/project/file_access_fix [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/file_access_fix/releases/8.x-1.2 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/geek-merlin [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/poker10 [8] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....