it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021
- Date: Wed, 4 Mar 2026 17:56:19 +0000
- Archived-at: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/message/T3X7A5C3RYJA6ARKPFAVUL23YUGGGJS3/>
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=HoyB7w+E; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=Y0nf1wUY; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx header.b=NN0w+nwn; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.136 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org CEB6E60AED
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org A618560B07
- Dmarc-filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org A618560B07
- Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
- List-archive: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-021
Project: File Access Fix (deprecated) [1]
Date: 2026-March-04
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <1.2.0
CVE IDs: CVE-2026-3526
Description:
This module moves files to and from private storage depending on the access
of its owning entities.
The module does not always validate the access logic correctly, resulting in
files attached to an entity not being protected in certain circumstances.
This vulnerability is mitigated by the fact that saving an entity a second
time resolves the issue.
Solution:
Install the latest version:
* If you use the File access fix module, upgrade to File access fix 8.x-1.2
[3]
Reported By:
* Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security
Team
Fixed By:
* Merlin Axel Rutz (geek-merlin) [5]
Coordinated By:
* Damien McKenna (damienmckenna) [6] of the Drupal Security Team
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [9]
[1] https://www.drupal.org/project/file_access_fix
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/file_access_fix/releases/8.x-1.2
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/geek-merlin
[6] https://www.drupal.org/u/damienmckenna
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/poker10
[9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3577060
_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at
- [IT-SecNots] [Security-news] File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021, security-news, 04.03.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.