Thursday, Apr 4th, 2019
Security risk: 
Less Critical
Advisory ID: 
Access bypass
Versions affected: 
  • Services 1.x versions prior to 1.x-3.0.4-beta

This module provides a standardized solution for building API's so that external clients can communicate with Backdrop.

The Services module has an access bypass vulnerability in its "attach_file" resource that allows users who have access to create or update pieces of content that include file fields to arbitrarily reference files they do not have access to, which can expose private files.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit a piece of content.


Upgrade your site to the most recent version of Services. Download available on the Services 1.x-3.0.4-beta release page. See the update instructions, if needed.

Reported By: 
Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  • Log in to
  • Edit your profile
  • Scroll down to the "Email notifications" section
  • Check the box labeled "Receive security announcements for core and contrib projects"