CVE-2026-0748

MEDIUM

Access bypass in Drupal 7 i18n_node translation UI

Title source: cna

Description

In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.

References (3)

Core 3

Core References

Third Party Advisory third-party-advisory

https://www.herodevs.com/vulnerability-directory/cve-2026-0748

Various Sources

https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7

Third Party Advisory third-party-advisory

https://d7es.tag1.com/node/86

Scores

CVSS v3 4.3

EPSS 0.0040

EPSS Percentile 32.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-276 CWE-284

Status published

Products (2)

Drupal/Internationalization (i18n) - i18n_node submodule 7.x-1.0 - 7.x-1.35

internationalization_project/internationalization 7.x-1.0 - 7.x-1.35

Published Mar 26, 2026

Tracked Since Mar 27, 2026