Description
In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs.

Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.
Published: 2026-03-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Access Bypass/Information Disclosure
Action: Patch Now
AI Analysis

Impact

The vulnerability in the Drupal 7 Internationalization i18n module’s i18n_node submodule allows a user who holds both the "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes through the translation UI and its autocomplete widget. This bypasses normal access controls, exposing unpublished node titles and identifiers to those users. The weakness lies in insufficient permission checks before exposing unpublished content, which aligns with CWE-276 and CWE-284.

Affected Systems

All Drupal 7 sites that have the i18n module installed between versions 7.x-1.0 and 7.x-1.35 are affected. The issue is limited to the i18n_node submodule of the Internationalization project and applies to any Drupal 7 instance that includes this module in that version range.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity level. With an EPSS score below 1% and no presence in the CISA KEV catalog, the overall likelihood of exploitation is low, although not negligible. The probably attack vector is through the web-based translation interface, where an authenticated user with the required permissions could trigger the information disclosure by accessing the autocomplete functionality. No external preconditions beyond existing permissions are needed for exploitation.

Generated by OpenCVE AI on April 2, 2026 at 02:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the i18n module to version 7.x-1.36 or later.
  • If an upgrade is not immediately possible, revoke the "Administer content translations" permission from all but the most trusted roles, ensuring no single user has both required permissions.
  • As a temporary measure, disable the translation autocomplete widget in the module’s configuration to stop the specific disclosure path.
  • Confirm that no users hold the combination of both permissions after remediation is applied.

Generated by OpenCVE AI on April 2, 2026 at 02:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Internationalization Project
Internationalization Project internationalization
Weaknesses CWE-276
CPEs cpe:2.3:a:internationalization_project:internationalization:*:*:*:*:*:drupal:*:*
Vendors & Products Internationalization Project
Internationalization Project internationalization
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal internationalization
Vendors & Products Drupal
Drupal internationalization

Thu, 26 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.
Title Access bypass in Drupal 7 i18n_node translation UI
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Drupal Internationalization
Internationalization Project Internationalization
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-27T13:55:09.117Z

Reserved: 2026-01-08T19:50:35.556Z

Link: CVE-2026-0748

cve-icon Vulnrichment

Updated: 2026-03-27T13:32:14.892Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T22:16:27.100

Modified: 2026-04-01T16:22:14.743

Link: CVE-2026-0748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:16Z

Weaknesses