Skip to main content

Internationalization I18N I18N Node Submodule CVE-2026-0748

| EUVDEUVD-2026-16420 MEDIUM
Improper Access Control (CWE-284)
2026-03-26 drupal GHSA-qwjq-cprg-rrcp
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 21:46 euvd
EUVD-2026-16420
Analysis Generated
Mar 26, 2026 - 21:46 vuln.today
CVE Published
Mar 26, 2026 - 21:17 nvd
MEDIUM 5.3

DescriptionCVE.org

In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs.

Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.

AnalysisAI

The Drupal 7 Internationalization (i18n) module's i18n_node submodule allows authenticated users holding both 'Translate content' and 'Administer content translations' permissions to bypass access controls and view unpublished node titles and IDs through the translation user interface and autocomplete functionality. Affected versions range from 7.x-1.0 through 7.x-1.35. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

The i18n module (CPE: cpe:2.3:a:drupal:internationalization_(i18n)_-_i18n_node_submodule:*:*:*:*:*:*:*:*) extends Drupal 7's content translation capabilities. The vulnerability stems from improper access control validation in the i18n_node submodule, specifically in how the translation UI and its autocomplete widget handle node references. CWE-284 (Improper Access Control-Permissions, Privileges, and Other Access Controls) identifies the root cause: the module fails to properly enforce the distinction between published and unpublished nodes during translation operations, allowing users with specific translation permissions to circumvent the standard node access checks. This occurs because the autocomplete and node attachment mechanisms do not re-verify publication status after permission checks pass.

RemediationAI

Upgrade the i18n module to a patched version beyond 7.x-1.35 as soon as a security release is available from the Drupal project. Monitor the official Drupal security advisories and the Hero Devs vulnerability directory (https://www.herodevs.com/vulnerability-directory/cve-2026-0748) for patch availability and release notes. Until an official patch is released, restrict the assignment of both 'Translate content' and 'Administer content translations' permissions to trusted administrator-level users only, and audit existing permission assignments to identify and revoke dual-permission grants from non-essential accounts. Consider implementing a code review or custom access control layer in the i18n_node module if an extended delay in patch availability is anticipated.

Share

CVE-2026-0748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy