CVE-2026-1556
Description
Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
File (Field) Paths module for Drupal 7 prior to 7.1.3 allows authenticated users to disclose private files by uploading files with colliding filenames, causing incorrect file URIs in hook_node_insert().
Vulnerability
Overview
The File (Field) Paths module for Drupal 7 fails to properly update file object URIs after file move operations, leaving file objects with an inconsistent URI state that references the old location while the actual file exists at the new location [2]. When multiple users upload files with the same filename, the module incorrectly overwrites the file URI during processing, causing modules using hook_node_insert() to receive the wrong (previously uploaded) private file [1].
Exploitation
An authenticated attacker can exploit this by uploading a file with a colliding name, causing another user’s private file to be disclosed via the insert hook, bypassing normal access controls [1]. The vulnerability is mitigated by the requirement for administrative privileges to upload files and configure file paths, and it only affects sites using the module's automatic file organization features [2].
Impact
Successful exploitation leads to information disclosure of private files, which can expose sensitive data. According to OWASP, such information exposure can lead to data breaches, identity theft, financial losses, and reputational damage [1]. This aligns with OWASP Top 10 categories including Broken Access Control and Cryptographic Failures [1].
Mitigation
The issue is fixed in File (Field) Paths version 7.x-1.3. Users are advised to upgrade immediately [2]. No workarounds are mentioned; upgrading is the recommended solution.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2cpe:2.3:a:deciphered:filefield_paths:*:*:*:*:*:drupal:*:*+ 1 more
- cpe:2.3:a:deciphered:filefield_paths:*:*:*:*:*:drupal:*:*range: <7.x-1.3
- (no CPE)range: >=7.7.x < 7.1.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.herodevs.com/vulnerability-directory/cve-2026-1556nvdExploitThird Party AdvisoryMitigation
- d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulationnvdThird Party Advisory
News mentions
0No linked articles in our index yet.