Description
Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.
Published: 2026-03-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to unpublished content
Action: Immediate Patch
AI Analysis

Impact

The Unpublished Node Permissions module in Drupal contains an incorrect authorization flaw that allows attackers to circumvent normal access controls and retrieve content that should remain hidden from non‑privileged users. This weakness falls under CWE‑863 and enables forceful browsing, letting an attacker read unpublished nodes by requesting their URLs. Consequently, sensitive or unpublished information may be exposed to unauthenticated parties, compromising confidentiality.

Affected Systems

Drupal installations that have the Unpublished Node Permissions contributed module installed at any version from 0.0.0 up to, but not including, 1.7.0 are affected. The issue applies to all sites using these older versions, regardless of the content type or publishing workflow.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The flaw is not listed in the CISA KEV catalog, and no other major exploits are publicly documented. Based on the description, the likely attack vector involves sending crafted HTTP GET requests to suspected unpublished node URLs, which, when successful, return the full node content without authentication.

Generated by OpenCVE AI on April 2, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Unpublished Node Permissions module (1.7.0 or newer).
  • If upgrading is not possible, disable the module or enforce stricter node access controls to block direct URL access.
  • Verify the patch by testing that previously unpublished nodes can no longer be retrieved via a direct URL.

Generated by OpenCVE AI on April 2, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-029 cve-icon cve-icon
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Jeroenb
Jeroenb unpublished Node Permissions
CPEs cpe:2.3:a:jeroenb:unpublished_node_permissions:*:*:*:*:*:drupal:*:*
Vendors & Products Jeroenb
Jeroenb unpublished Node Permissions

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal unpublished Node Permissions
Vendors & Products Drupal
Drupal unpublished Node Permissions

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.
Title Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029
Weaknesses CWE-863
References

Subscriptions

Drupal Unpublished Node Permissions
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-30T14:54:36.334Z

Reserved: 2026-03-26T19:50:20.404Z

Link: CVE-2026-4933

cve-icon Vulnrichment

Updated: 2026-03-30T14:41:47.113Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:10.360

Modified: 2026-04-01T16:18:33.603

Link: CVE-2026-4933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:22Z

Weaknesses