View online: https://www.drupal.org/sa-contrib-2026-021

Project: File Access Fix (deprecated) [1] Date: 2026-March-04 Security risk: *Moderately critical* 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass

Affected versions: <1.2.0 CVE IDs: CVE-2026-3526 Description:  This module moves files to and from private storage depending on the access of its owning entities.

The module does not always validate the access logic correctly, resulting in files attached to an entity not being protected in certain circumstances.

This vulnerability is mitigated by the fact that saving an entity a second time resolves the issue.

Solution:  Install the latest version:

* If you use the File access fix module, upgrade to File access fix 8.x-1.2 [3]

Reported By:  * Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security Team

Fixed By:  * Merlin Axel Rutz (geek-merlin) [5]

Coordinated By:  * Damien McKenna (damienmckenna) [6] of the Drupal Security Team * Greg Knaddison (greggles) [7] of the Drupal Security Team * Juraj Nemec (poker10) [8] of the Drupal Security Team

------------------------------------------------------------------------------ Contribution record [9]

[1] https://www.drupal.org/project/file_access_fix [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/file_access_fix/releases/8.x-1.2 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/geek-merlin [6] https://www.drupal.org/u/damienmckenna [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/poker10 [9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....