CVE-2026-0748

In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.

CVSS

No CVSS.

References

Link	Resource
https://d7es.tag1.com/node/86
https://www.herodevs.com/vulnerability-directory/cve-2026-0748
https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-26 22:16

Updated : 2026-03-30 13:26

NVD link : CVE-2026-0748

Mitre link : CVE-2026-0748

CVE.ORG link : CVE-2026-0748

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

{"id": "CVE-2026-0748", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "mlhess@drupal.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-26T22:16:27.100", "references": [{"url": "https://d7es.tag1.com/node/86", "source": "mlhess@drupal.org"}, {"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748", "source": "mlhess@drupal.org"}, {"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "mlhess@drupal.org", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \n\nExploit affects versions 7.x-1.0 up to and including 7.x-1.35."}, {"lang": "es", "value": "En el m\u00f3dulo Internationalization (i18n) de Drupal 7, el subm\u00f3dulo i18n_node permite a un usuario con ambos permisos de 'Traducir contenido' y 'Administrar traducciones de contenido' ver y adjuntar nodos no publicados a trav\u00e9s de la interfaz de usuario de traducci\u00f3n y su widget de autocompletado. Esto elude los controles de acceso previstos y revela los t\u00edtulos e IDs de nodos no publicados. El exploit afecta a las versiones 7.x-1.0 hasta la 7.x-1.35 inclusive."}], "lastModified": "2026-03-30T13:26:50.827", "sourceIdentifier": "mlhess@drupal.org"}

CVE-2026-0748

JSON object

Attach tags to CVE-2026-0748

Attach tags to `CVE-2026-0748`