CVE-2026-0748 | THREATINT

Description

In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.

PUBLISHED Reserved 2026-01-08 | Published 2026-03-26 | Updated 2026-03-27 | Assigner drupal

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-284 Improper Access Control

Product status

Default status

unaffected

7.x-1.0 (custom)

affected

Credits

Tatár Balázs János (tatarbj) finder

References

www.herodevs.com/...directory/cve-2026-0748?nes-for-drupal-7 exploit

www.herodevs.com/vulnerability-directory/cve-2026-0748 third-party-advisory

d7es.tag1.com/node/86 third-party-advisory

cve.org (CVE-2026-0748)

nvd.nist.gov (CVE-2026-0748)

Download JSON