View online: https://www.drupal.org/sa-contrib-2026-020

Project: File Access Fix (deprecated) [1] Date: 2026-March-04 Security risk: *Moderately critical* 11 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass

Affected versions: <1.2.0 CVE IDs: CVE-2026-3525 Description:  This module moves files to and from private storage depending on the access of its owning entities. The module does not sufficiently incorporate the results of hook_file_download when a custom or contrib module implements that hook leading to access bypass.

Solution:  Install the latest version:

* If you use the File access fix module, upgrade to File access fix 8.x-1.2 [3]

Reported By:  * Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security Team

Fixed By:  * Merlin Axel Rutz (geek-merlin) [5]

Coordinated By:  * Greg Knaddison (greggles) [6] of the Drupal Security Team * Juraj Nemec (poker10) [7] of the Drupal Security Team

------------------------------------------------------------------------------ Contribution record [8]

[1] https://www.drupal.org/project/file_access_fix [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/file_access_fix/releases/8.x-1.2 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/geek-merlin [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/poker10 [8] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....