Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs.
Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.
AnalysisAI
The Drupal 7 Internationalization (i18n) module's i18n_node submodule allows authenticated users holding both 'Translate content' and 'Administer content translations' permissions to bypass access controls and view unpublished node titles and IDs through the translation user interface and autocomplete functionality. Affected versions range from 7.x-1.0 through 7.x-1.35. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
The i18n module (CPE: cpe:2.3:a:drupal:internationalization_(i18n)_-_i18n_node_submodule:*:*:*:*:*:*:*:*) extends Drupal 7's content translation capabilities. The vulnerability stems from improper access control validation in the i18n_node submodule, specifically in how the translation UI and its autocomplete widget handle node references. CWE-284 (Improper Access Control-Permissions, Privileges, and Other Access Controls) identifies the root cause: the module fails to properly enforce the distinction between published and unpublished nodes during translation operations, allowing users with specific translation permissions to circumvent the standard node access checks. This occurs because the autocomplete and node attachment mechanisms do not re-verify publication status after permission checks pass.
RemediationAI
Upgrade the i18n module to a patched version beyond 7.x-1.35 as soon as a security release is available from the Drupal project. Monitor the official Drupal security advisories and the Hero Devs vulnerability directory (https://www.herodevs.com/vulnerability-directory/cve-2026-0748) for patch availability and release notes. Until an official patch is released, restrict the assignment of both 'Translate content' and 'Administer content translations' permissions to trusted administrator-level users only, and audit existing permission assignments to identify and revoke dual-permission grants from non-essential accounts. Consider implementing a code review or custom access control layer in the i18n_node module if an extended delay in patch availability is anticipated.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16420
GHSA-qwjq-cprg-rrcp