CVE-2026-1556
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications.
When multiple users upload files with the same filename, the module incorrectly overwrites the file URI during processing. Modules using hook_node_insert() (e.g., commonly used when sending email attachments) then receive the wrong (previously uploaded) private file.
An authenticated attacker can exploit this by uploading a file with a colliding name, causing another user’s private file to be disclosed via the insert hook, bypassing normal access controls.
Information exposure, often referred to as information disclosure or sensitive data exposure, can often be a high-severity vulnerability where applications inadvertently reveal confidential or useful details to unauthorized parties due to inadequate protections, such as weak cryptography, misconfigurations, or flawed access controls.
According to OWASP, this can stem from transmitting data in clear text, using outdated cryptographic algorithms, improper key management, or failing to sanitize error messages and responses, allowing attackers to intercept, infer, or directly access information like configurations, server details, user credentials, or API keys. It aligns with OWASP Top 10 categories including A01:2021 – Broken Access Control (ranked first) and A05:2021 – Security Misconfiguration (ranked fifth), as well as evolving from the 2017 A3: Sensitive Data Exposure, now encompassed in A02:2021 – Cryptographic Failures (ranked second). Attackers exploit this through techniques like network sniffing, analyzing error outputs, or leveraging misconfigured endpoints, potentially leading to escalated attacks.
Ramifications include:
- Data breaches
- Identity theft
- Financial losses
- Further exploits
- Legal penalties, and
- Reputational damage.
This issue affects the File Field Paths module version 7.1.2 and lower.
Details
Module Info
- Product: Drupal
- Affected code: File Field Paths module
- Affected versions: >=7.1.0 <=7.1.2
- Project page: https://www.drupal.org/project/filefield_paths
- Fixed in: File Field Paths NES 7.1.3
Vulnerability Info
This medium-severity vulnerability is found in all versions of the Drupal File Field Paths module for Drupal 7 sites.
Mitigation
Users of the affected components should apply one of the following:
- Use private files everywhere: set file_default_scheme to private and configure a writable private:// path; in each field_image (and any File Field Paths-configured field) choose “Private files” for Upload destination. Avoid public:// entirely.
- Avoid predictable collisions: set File (Field) Paths patterns to include unique tokens (e.g., [uid]/[random:hash] or timestamps) instead of shared paths like field/image, so two users don’t land in the same target path.
- Disable the module (note that you may lose significant functionality this way).
- Review hook_node_insert() (and similar) code that reads $file['uri'] and send/forwards files; add sanity checks so you don’t act on a file owned by another user (e.g., confirm $file->uid === $node->uid or check scheme/path before copying).
- Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.
Credits
