Advisory ID: 
Access bypass
Versions affected: 
  • Backdrop Core 1.x.x versions prior to 1.3.5

Backdrop CMS doesn't sufficiently check permissions to access editor dialogs or check the access to upload images within those editor dialogs. This may allow anonymous users to upload temporary images to the server. These files are temporary and will be automatically deleted by the server after 6 hours, mitigating the possibility of the server becoming filled with temporary files.

This release also includes an informational fix to a security-related warning on the status report. Backdrop CMS was not correctly checking if the "update free access" setting was disabled when reporting site status to administrators. This does not indicate a vulnerability; the status report is now fixed to show the warning if needed.


Upgrade your site to the latest version of Backdrop CMS. Download available at Backdrop CMS 1.3.5 release page. Update instructions are available at

Reported By: 

Editor Access Bypass:

Settings.php Update Free Access Check:

Fixed By: 

Editor Access Bypass:

Settings.php Update Access Check:

  • JF provisional member of the Backdrop CMS Security Team
  • Jen Lampton of the Backdrop CMS Security Team