CVE-2011-2726

Name: CVE-2011-2726
Creator: NVD / NIST
Published: 2019-11-15T17:15:12.523+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 1.60%

Last modified Jun 16, 2026

CVE-2011-2726 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL.. EPSS estimates a 1.60% chance of exploitation in the next 30 days.

Description

An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

1.60%

72.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-863

Affected Software

Vendor	Product	Versions
Drupal	Drupal	>= 7.0, < 7.5
Debian	Debian Linux	8.0
Debian	Debian Linux	9.0
Redhat	Enterprise Linux	5.0
Redhat	Enterprise Linux	6.0
Fedoraproject	Fedora	14
Fedoraproject	Fedora	15
Fedoraproject	Fedora	16

References

http://www.openwall.com/lists/oss-security/2012/03/19/10Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2012/03/20/14Mailing List, Third Party Advisory
https://access.redhat.com/security/cve/cve-2011-2726Broken Link
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2726Issue Tracking, Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2011-2726Third Party Advisory
https://www.drupal.org/node/1231510Vendor Advisory
http://www.openwall.com/lists/oss-security/2012/03/19/10Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2012/03/20/14Mailing List, Third Party Advisory
https://access.redhat.com/security/cve/cve-2011-2726Broken Link
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2726Issue Tracking, Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2011-2726Third Party Advisory
https://www.drupal.org/node/1231510Vendor Advisory

Timeline

Published: Nov 15, 2019
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2011-2726?

How severe is CVE-2011-2726?

CVE-2011-2726 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 1.60% probability of exploitation in the next 30 days.

How do I fix CVE-2011-2726?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2011-2726?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST