Backdrop core - Access Bypass - BACKDROP-SA-CORE-2026-003

Date:

Wednesday, Apr 22nd, 2026

Advisory ID:

BACKDROP-SA-CORE-2026-003

Security risk:

Moderately Critical

Vulnerability:

Access bypass

Versions affected:

Backdrop Core 1.33.x versions prior to 1.33.2
Backdrop Core 1.32.x versions prior to 1.32.3
Backdrop versions 1.31 and prior do not receive security coverage.

Description:

Backdrop bulk operations did not always check permissions appropriately. This could allow someone with permission to use bulk operations generally to use bulk operations on the file management page and delete files that they did not have specific permission to delete. This vulnerability is mitigated by the fact that the user must have the Access the manage files overview permission.

Solution:

Upgrade your site to the most recent version of Backdrop core. Download the latest release from the Backdrop CMS Releases or use the built-in updater to self-update. See the update instructions, if needed.

Reported By:

Olaf Grabienski
Peter Anderson

Fixed By:

Nate Lampton of the Backdrop CMS Security Team
Jen Lampton of the Backdrop CMS Security Team
Olaf Grabienski
Peter Anderson

Coordinated By:

Nate Lampton of the Backdrop CMS Security Team
Jen Lampton of the Backdrop CMS Security Team
Laryn Kragt Bakker of the Backdrop CMS Security Team

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

Log in to backdropcms.org
Edit your profile
Switch to the "Subscriptions" tab
Check the box labeled "Security updates"
Save the form

Security Advisories

The list below includes the latest advisories for both Backdrop core and any project in the contributed repository. See the entire list of all advisories.