Drupal 7.x File (FP): Authenticated Info Disclosure via URI collisions <7.1.3
CVE-2026-1556 Published on March 26, 2026

Information disclosure via file URI overwrite in File (Field) Paths
Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users private files via filenamecollision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.

NVD

Weakness Type

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2026-1556 has been classified to as an Information Disclosure vulnerability or weakness.

Products Associated with CVE-2026-1556

Want to know whenever a new CVE is published for Drupal? stack.watch will email you.

Drupal

Affected Versions

Drupal File (Field) Paths:

Version 7.x-1.0 and below 7.x-1.3 is affected.

Drupal 7.x File (FP): Authenticated Info Disclosure via URI collisions <7.1.3CVE-2026-1556 Published on March 26, 2026

Weakness Type

What is an Information Disclosure Vulnerability?

Products Associated with CVE-2026-1556

Affected Versions

Drupal 7.x File (FP): Authenticated Info Disclosure via URI collisions <7.1.3
CVE-2026-1556 Published on March 26, 2026