Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.
AnalysisAI
Unpublished Node Permissions module for Drupal versions prior to 1.7.0 contains an incorrect authorization vulnerability (CWE-863) that permits forceful browsing of unpublished nodes by bypassing access controls. Attackers can view content that should be restricted to specific user roles by directly accessing node URLs, circumventing the module's permission enforcement logic. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
The Unpublished Node Permissions module (CPE: cpe:2.3:a:drupal:unpublished_node_permissions:*:*:*:*:*:*:*:*) is a Drupal contributed module designed to manage granular access permissions for unpublished content nodes. The vulnerability stems from a CWE-863 (Incorrect Authorization) flaw where the module fails to properly validate user permissions before granting access to unpublished node resources. The root cause involves insufficient authorization checks in the request handling logic, allowing authenticated or unauthenticated users to bypass permission gates through direct URL manipulation or forceful browsing techniques. This is a classic authorization bypass where the access control matrix is not properly enforced at the resource level.
RemediationAI
Immediately upgrade the Unpublished Node Permissions module to version 1.7.0 or later via the Drupal admin interface or Composer package manager. This release contains the authorization check corrections necessary to enforce proper access controls on unpublished nodes. Until patching is completed, implement temporary compensating controls: (1) restrict direct node access via web server rewrite rules to block forceful browsing patterns, (2) enforce strict Content Security Policy headers, (3) enable Drupal's built-in node access logging to audit access attempts, and (4) verify that unpublished node URLs are not indexed by search engines. Apply the patch immediately as this vulnerability directly circumvents content access controls. Consult the vendor advisory at https://www.drupal.org/sa-contrib-2026-029 for additional site-specific guidance.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16395