Access bypass in Drupal 7 i18n_node translation UI_CVE-2026-0748

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Description

In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs.

Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.

Basic Information

ID CVE-2026-0748

Source drupal

Published Mar 26, 2026 at 21:17

Modified Mar 27, 2026 at 13:55

Affected Product

Vendor Drupal

Product Internationalization (i18n) - i18n_node submodule

Version 7.x-1.0

Affected Versions Drupal Internationalization (i18n) - i18n_node submodule 7.x-1.0

CWE Classification

CWE-284

References

{
    "lastseen": "",
    "description": "In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \n\nExploit affects versions 7.x-1.0 up to and including 7.x-1.35.",
    "published": "2026-03-26T21:17:37.769Z",
    "modified": "2026-03-27T13:55:09.117Z",
    "type": "cve",
    "title": "Access bypass in Drupal 7 i18n_node translation UI",
    "source": "drupal",
    "references": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748\nhttps://d7es.tag1.com/node/86",
    "id": "CVE-2026-0748",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "Drupal Internationalization (i18n) - i18n_node submodule 7.x-1.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Internationalization (i18n) - i18n_node submodule",
    "version": "7.x-1.0",
    "vendor": "Drupal",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}