Project: 
Date: 
2026-July-15
Vulnerability: 
Information disclosure
Affected versions: 
<10.6.13 || >=11.3.0 <11.3.14 || >=11.4.0 <11.4.4 || 11.0.* || 11.1.* || 11.2.*
CVE IDs: 
CVE-2026-15916
Description: 

The Image module allows you to define and configure image fields.

The module doesn't sufficiently check access to image style derivatives when those files are served via a file stream other than private://.

This vulnerability is mitigated by the fact that Drupal must be configured to use a contributed (non-core) file scheme to serve private derived images.

Information disclosure issues like this one are not generally given security advisories (as described in PSA-2023-07-12)). This fix is provided as a hardening. Contributed modules implementing custom stream wrappers may need to add similar hardenings.

Solution: 

Install the latest version:

Drupal 11

  • If you use Drupal 11.4.x, update to Drupal 11.4.4.
  • If you use Drupal 11.3.x, update to Drupal 11.3.14.
  • Drupal 11.2.x and below are end-of-life and do not receive security coverage.

Drupal 10

  • If you use Drupal 10.6.x, update to Drupal 10.6.13.
  • Drupal 10.5.x and below are end-of-life and do not receive security coverage.

Drupal 8 and Drupal 9 have both reached end-of-life.

Reported By: 
Coordinated By: