Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005
Description
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal core file download insufficiently sanitizes paths, enabling unauthorized access to private files; patched in multiple versions.
Vulnerability
The file download facility in Drupal core fails to sufficiently sanitize file paths in certain situations, allowing users to access private files they should not have access to [2]. This is an access bypass vulnerability classified as moderately critical [3].
Exploitation
Exploitation conditions vary by Drupal version and platform. For Drupal 7, all sites on Windows web servers are vulnerable, while sites on Linux are vulnerable only with certain file directory structures or if a vulnerable contributed or custom file access module is installed. For Drupal 9 and 10, sites are only vulnerable if certain contributed or custom file access modules are installed [3]. The vulnerability requires an authenticated user, but does not require any special privileges beyond the ability to download files.
Impact
Successful exploitation allows an attacker to read private files that should be restricted. The impact is limited to file disclosure; the vulnerability is considered not mass exploitable according to the Drupal Security Team [3].
Mitigation
Patches are available for affected versions: Drupal 7.96, 9.4.14, 9.5.8, 10.0.8, and later releases [3]. Some sites may require configuration changes after updating; administrators should review release notes for their Drupal version if issues with private file access arise [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 10.0.0, < 10.0.8 | 10.0.8 |
drupal/corePackagist | >= 9.5.0, < 9.5.8 | 9.5.8 |
drupal/corePackagist | >= 9.0.0, < 9.4.14 | 9.4.14 |
drupal/corePackagist | >= 7.0.0, < 7.96 | 7.96 |
Affected products
3- osv-coords2 versions
>= 7.0.0, < 7.96.0+ 1 more
- (no CPE)range: >= 7.0.0, < 7.96.0
- (no CPE)range: >= 10.0.0, < 10.0.8
- Drupal/Corev5Range: 7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8849-cv9f-vccmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-31250ghsaADVISORY
- www.drupal.org/sa-core-2023-005ghsaWEB
News mentions
0No linked articles in our index yet.