{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4933", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-26T19:50:20.404Z", "datePublished": "2026-03-26T20:10:26.886Z", "dateUpdated": "2026-03-30T14:54:36.334Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:10:26.886Z"}, "title": "Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029", "datePublic": "2026-03-11T16:35:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"vendor": "Drupal", "product": "Unpublished Node Permissions", "collectionURL": "https://www.drupal.org/project/unpublished_node_permissions", "repo": "https://git.drupalcode.org/project/unpublished_node_permissions", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.7.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.<p>This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-029"}], "credits": [{"lang": "en", "value": "Andre Groendijk (groendijk)", "type": "finder"}, {"lang": "en", "value": "Fabien Gutknecht (fabsgugu)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T14:41:34.163708Z", "id": "CVE-2026-4933", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:54:36.334Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4933", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T14:41:34.163708Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:41:47.113Z"}}], "cna": {"title": "Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Andre Groendijk (groendijk)"}, {"lang": "en", "type": "remediation developer", "value": "Fabien Gutknecht (fabsgugu)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "coordinator", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/unpublished_node_permissions", "vendor": "Drupal", "product": "Unpublished Node Permissions", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.7.0", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/unpublished_node_permissions", "defaultStatus": "unaffected"}], "datePublic": "2026-03-11T16:35:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-029"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.<p>This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:10:26.886Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4933", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:54:36.334Z", "dateReserved": "2026-03-26T19:50:20.404Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-26T20:10:26.886Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en los permisos de nodos no publicados de Drupal permite la navegaci\u00f3n forzada. Este problema afecta a los permisos de nodos no publicados: desde la versi\u00f3n 0.0.0 anterior a la 1.7.0."}], "id": "CVE-2026-4933", "lastModified": "2026-03-30T15:16:33.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T21:17:10.360", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-029"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.7.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Unpublished Node Permissions", "source": "cna", "vendor": "Drupal"}, "product": "unpublished_node_permissions", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-26T21:36:08.105801+00:00", "value": {"mitigation_remediation": ["Upgrade the Unpublished Node Permissions module to version 1.7.0 or later as released in the official Drupal advisory. ", "If upgrading is not immediately possible, restrict access to unpublished nodes by applying tighter role permissions or using Drupal\u2019s built\u2011in access controls. ", "Disable or uninstall the Unpublished Node Permissions module if the functionality is not required for the site. ", "Verify that no custom code overrides the module\u2019s authorization checks and ensure that all access control rules are correctly enforced."], "summary": {"action": "Apply patch", "impact": "Access bypass"}, "threat_synthesis": {"affected_systems": "Drupal sites that have the Unpublished Node Permissions module installed with any version prior to 1.7.0 are affected. The issue is specific to this module and does not extend to core Drupal functionality or other contributed modules unless they rely on the same access checking code.", "description_and_impact": "This vulnerability arises from an incorrect authorization check in the Unpublished Node Permissions module for Drupal, allowing a forced browsing attack. An attacker can manipulate URLs or requests to view nodes that are marked as unpublished, thereby gaining access to content that should remain confidential for the site\u2019s authorized users. This breach directly compromises the confidentiality and integrity of the site\u2019s content, potentially exposing sensitive or proprietary information to unauthenticated parties.", "risk_and_exploitability": "The CVSS score is not disclosed, but the severity can be considered high due to the direct access bypass of unpublished content. Exploitation is likely remote via standard HTTP(S) requests to the Drupal site, and the lack of known public exploits and absence in the CISA KEV catalog suggests no widespread active attacks are documented. However, given the nature of the flaw, an attacker with network visibility can automate requests to enumerate or retrieve unpublished nodes, making it advisable to treat this as a high\u2011risk issue."}}}}, "created": "2026-03-27T08:32:08.060224+00:00", "updated": "2026-03-27T09:23:36.169568+00:00", "vendors": ["drupal", "drupal$PRODUCT$unpublished_node_permissions"]}