Drupal Security

Project: File Access Fix (deprecated)Date: 2026-March-04Security risk: Moderately critical 11 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.2.0CVE IDs: CVE-2026-3525Description: 

This module moves files to and from private storage depending on the access of its owning entities.
The module does not sufficiently incorporate the results of hook_file_download when a custom or contrib module implements that hook leading to access bypass.

Solution: 

Install the latest version:

• If you use the File access fix module, upgrade to File access fix 8.x-1.2

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Merlin Axel Rutz (geek-merlin)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team