Description
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing.

This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1.
Published: 2026-05-19
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper check for unusual or exceptional conditions in Drupal Node View Permissions that allows forceful browsing. This enables an attacker to access content that would normally be restricted, violating the intended permission controls.

Affected Systems

The affected product is the Drupal Node View Permissions module. Versions before 1.7.0 in the 0.0.0 line and before 2.0.1 in the 2.0.0 line are vulnerable. Any installation using these module releases is at risk.

Risk and Exploitability

The EPSS score is <1%, indicating a very low probability of exploitation, and the vulnerability is not listed in CISA KEV. The CVSS score is 3.7, which reflects a low severity impact. Based on the nature of the flaw, it is inferred that an unauthenticated attacker could supply arbitrary node URLs to force traversal of permission checks, making exploitation straightforward in the absence of a patch.

Generated by OpenCVE AI on May 20, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Node View Permissions to the latest patched version (≥1.7.0 or ≥2.0.1) following the Drupal security advisory.
  • Ensure that node permission checks are enforced to prevent unauthorized access to sensitive content.
  • If an upgrade cannot be performed immediately, tighten direct node URL permissions or use an auxiliary module that blocks forceful browsing until the patch is applied.

Generated by OpenCVE AI on May 20, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-034 cve-icon cve-icon
History

Wed, 20 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal node View Permissions
Vendors & Products Drupal
Drupal node View Permissions

Tue, 19 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1.
Title Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034
Weaknesses CWE-754
References

Subscriptions

Drupal Node View Permissions
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-05-20T16:36:03.045Z

Reserved: 2026-05-13T15:43:26.500Z

Link: CVE-2026-8491

cve-icon Vulnrichment

Updated: 2026-05-20T16:32:59.302Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T23:16:58.740

Modified: 2026-05-20T18:16:27.980

Link: CVE-2026-8491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T18:30:36Z

Weaknesses