SB2026030512 - Multiple vulnerabilities in File Access Fix (deprecated) module for Drupal

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2026-3526)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected module does not always validate the access logic correctly. A remote attacker can gain access to sensitive information on the system.

2) Improper access control (CVE-ID: CVE-2026-3525)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

Remediation

Install update from vendor's website.

References

• https://www.drupal.org/sa-contrib-2026-021
• https://www.drupal.org/sa-contrib-2026-020