Skip to main content

Unpublished Node Permissions CVE-2026-4933

| EUVDEUVD-2026-16395 HIGH
Incorrect Authorization (CWE-863)
2026-03-26 drupal
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 20:31 euvd
EUVD-2026-16395
Analysis Generated
Mar 26, 2026 - 20:31 vuln.today
CVE Published
Mar 26, 2026 - 20:10 nvd
HIGH 7.5

DescriptionCVE.org

Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.

AnalysisAI

Unpublished Node Permissions module for Drupal versions prior to 1.7.0 contains an incorrect authorization vulnerability (CWE-863) that permits forceful browsing of unpublished nodes by bypassing access controls. Attackers can view content that should be restricted to specific user roles by directly accessing node URLs, circumventing the module's permission enforcement logic. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

The Unpublished Node Permissions module (CPE: cpe:2.3:a:drupal:unpublished_node_permissions:*:*:*:*:*:*:*:*) is a Drupal contributed module designed to manage granular access permissions for unpublished content nodes. The vulnerability stems from a CWE-863 (Incorrect Authorization) flaw where the module fails to properly validate user permissions before granting access to unpublished node resources. The root cause involves insufficient authorization checks in the request handling logic, allowing authenticated or unauthenticated users to bypass permission gates through direct URL manipulation or forceful browsing techniques. This is a classic authorization bypass where the access control matrix is not properly enforced at the resource level.

RemediationAI

Immediately upgrade the Unpublished Node Permissions module to version 1.7.0 or later via the Drupal admin interface or Composer package manager. This release contains the authorization check corrections necessary to enforce proper access controls on unpublished nodes. Until patching is completed, implement temporary compensating controls: (1) restrict direct node access via web server rewrite rules to block forceful browsing patterns, (2) enforce strict Content Security Policy headers, (3) enable Drupal's built-in node access logging to audit access attempts, and (4) verify that unpublished node URLs are not indexed by search engines. Apply the patch immediately as this vulnerability directly circumvents content access controls. Consult the vendor advisory at https://www.drupal.org/sa-contrib-2026-029 for additional site-specific guidance.

Share

CVE-2026-4933 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy