Bug 2451981 (CVE-2026-1556)

Summary: CVE-2026-1556 Drupal: File (Field) Paths: Drupal File (Field) Paths: Information Disclosure via filename-collision uploads
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Drupal File (Field) Paths. This information disclosure vulnerability allows authenticated users to disclose other users’ private files. This can be exploited by performing filename-collision uploads, which causes the system to receive incorrect file Uniform Resource Identifiers (URIs), thereby bypassing normal access controls on private files.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2452014, 2452015    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-26 22:01:52 UTC 
Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.