CVE-2026-1556 Overview
CVE-2026-1556 is an information disclosure vulnerability affecting the File (Field) Paths module for Drupal 7.x. The vulnerability exists in the file URI processing logic, which allows authenticated users to disclose other users' private files through filename-collision uploads. When exploited, this flaw causes hook_node_insert() consumers (such as email attachment modules) to receive incorrect file URIs, effectively bypassing normal access controls on private files.
Critical Impact
Authenticated users can access private files belonging to other users by exploiting filename collision handling, potentially exposing sensitive data through downstream integrations like email attachment modules.
Affected Products
- Drupal File (Field) Paths 7.x prior to version 7.1.3
- Drupal 7.x installations using the vulnerable module
- Systems using hook_node_insert() consumers that process file attachments
Discovery Timeline
- 2026-03-26 - CVE-2026-1556 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-1556
Vulnerability Analysis
This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The File (Field) Paths module improperly handles file URI resolution when filename collisions occur during the upload process. When two users upload files with identical names, the module fails to properly isolate file references, resulting in incorrect file URI associations being passed to downstream consumers.
The attack requires authentication but can be exploited with low complexity over the network. The primary impact is confidentiality-related, as attackers can gain unauthorized access to private files. The vulnerability is particularly dangerous in environments where the File (Field) Paths module integrates with email notification systems or other modules that consume hook_node_insert() events.
Root Cause
The root cause lies in the file URI resolution mechanism within the File (Field) Paths module. When processing file uploads, the module does not adequately handle filename collisions between different users' private file spaces. This results in file URI references being incorrectly mapped, causing the system to return a different user's file when the collision condition is met.
The vulnerability specifically affects the path token replacement and file destination handling logic, where the module fails to enforce proper file ownership boundaries during URI construction.
Attack Vector
The attack is network-based and requires authentication. An attacker must:
- Identify a target user who has uploaded a private file
- Upload a file with an identical filename to trigger a collision condition
- Exploit the resulting URI mismatch to access the target's private file through downstream module integrations
The vulnerability bypasses normal access controls because the incorrect file URI is passed to hook_node_insert() consumers, which then process and potentially expose the wrong file—for example, attaching it to email notifications sent to the attacker.
The exploitation does not require knowledge of the target file's exact location, as the collision-based attack leverages the module's internal path resolution logic. For complete technical details, refer to the Tag1 Security Advisory.
Detection Methods for CVE-2026-1556
Indicators of Compromise
- Unusual patterns of file uploads with common or predictable filenames
- Multiple users uploading identically-named files in short time periods
- Log entries showing file access requests that don't match the authenticated user's expected files
- Anomalous email attachment activity involving private files
Detection Strategies
- Monitor file upload logs for filename collision patterns, particularly involving private file paths
- Implement file integrity monitoring to detect unexpected access to private file directories
- Review hook_node_insert() consumer logs for URI mismatches between expected and actual files
- Audit Drupal watchdog logs for file path manipulation warnings
Monitoring Recommendations
- Enable verbose logging for the File (Field) Paths module during assessment periods
- Configure alerting for rapid successive uploads with identical filenames from different user sessions
- Monitor outbound email systems for attachments containing files that don't match sender ownership
- Implement user behavior analytics to detect potential exploitation attempts
How to Mitigate CVE-2026-1556
Immediate Actions Required
- Upgrade Drupal File (Field) Paths module to version 7.1.3 or later immediately
- Audit recent file uploads for potential exploitation of filename collision scenarios
- Review email and notification logs for any unauthorized file disclosures
- Consider temporarily disabling file upload functionality if immediate patching is not possible
Patch Information
The vulnerability has been addressed in Drupal File (Field) Paths version 7.1.3. Organizations running earlier versions of the 7.x branch should upgrade immediately. For additional information, consult the Tag1 Security Advisory and the Hero Devs vulnerability directory.
Workarounds
- Disable the File (Field) Paths module if not critical to operations until patching can be completed
- Implement server-side filename uniqueness enforcement using timestamps or random suffixes
- Restrict file upload permissions to trusted user roles only
- Disable hook_node_insert() consumers that process file attachments as a temporary measure
- Configure private file access to require explicit administrative approval
# Drupal module update via Drush
drush pm-update filefield_paths
# Verify installed version
drush pm-info filefield_paths | grep Version
# Clear Drupal caches after update
drush cache-clear all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
