{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4933", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-26T19:50:20.404Z", "datePublished": "2026-03-26T20:10:26.886Z", "dateUpdated": "2026-03-30T14:54:36.334Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:10:26.886Z"}, "title": "Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029", "datePublic": "2026-03-11T16:35:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"vendor": "Drupal", "product": "Unpublished Node Permissions", "collectionURL": "https://www.drupal.org/project/unpublished_node_permissions", "repo": "https://git.drupalcode.org/project/unpublished_node_permissions", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.7.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.<p>This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-029"}], "credits": [{"lang": "en", "value": "Andre Groendijk (groendijk)", "type": "finder"}, {"lang": "en", "value": "Fabien Gutknecht (fabsgugu)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T14:41:34.163708Z", "id": "CVE-2026-4933", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:54:36.334Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4933", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T14:41:34.163708Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:41:47.113Z"}}], "cna": {"title": "Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Andre Groendijk (groendijk)"}, {"lang": "en", "type": "remediation developer", "value": "Fabien Gutknecht (fabsgugu)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "coordinator", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/unpublished_node_permissions", "vendor": "Drupal", "product": "Unpublished Node Permissions", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.7.0", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/unpublished_node_permissions", "defaultStatus": "unaffected"}], "datePublic": "2026-03-11T16:35:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-029"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.<p>This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:10:26.886Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4933", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:54:36.334Z", "dateReserved": "2026-03-26T19:50:20.404Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-26T20:10:26.886Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jeroenb:unpublished_node_permissions:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "7C095AB8-56DE-46FC-90D2-94CA3D13E975", "versionEndExcluding": "8.x-1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en los permisos de nodos no publicados de Drupal permite la navegaci\u00f3n forzada. Este problema afecta a los permisos de nodos no publicados: desde la versi\u00f3n 0.0.0 anterior a la 1.7.0."}], "id": "CVE-2026-4933", "lastModified": "2026-04-01T16:18:33.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T21:17:10.360", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-029"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.7.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Unpublished Node Permissions", "source": "cna", "vendor": "Drupal"}, "product": "unpublished_node_permissions", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-04-02T05:51:53.675776+00:00", "value": {"mitigation_remediation": ["Apply the latest version of the Unpublished Node Permissions module (1.7.0 or newer).", "If upgrading is not possible, disable the module or enforce stricter node access controls to block direct URL access.", "Verify the patch by testing that previously unpublished nodes can no longer be retrieved via a direct URL."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access to unpublished content"}, "threat_synthesis": {"affected_systems": "Drupal installations that have the Unpublished Node Permissions contributed module installed at any version from 0.0.0 up to, but not including, 1.7.0 are affected. The issue applies to all sites using these older versions, regardless of the content type or publishing workflow.", "description_and_impact": "The Unpublished Node Permissions module in Drupal contains an incorrect authorization flaw that allows attackers to circumvent normal access controls and retrieve content that should remain hidden from non\u2011privileged users. This weakness falls under CWE\u2011863 and enables forceful browsing, letting an attacker read unpublished nodes by requesting their URLs. Consequently, sensitive or unpublished information may be exposed to unauthenticated parties, compromising confidentiality.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The flaw is not listed in the CISA KEV catalog, and no other major exploits are publicly documented. Based on the description, the likely attack vector involves sending crafted HTTP GET requests to suspected unpublished node URLs, which, when successful, return the full node content without authentication."}}}}, "created": "2026-03-27T08:32:08.060224+00:00", "updated": "2026-04-02T07:56:22.159022+00:00", "vendors": ["drupal", "drupal$PRODUCT$unpublished_node_permissions"]}