CVE-2026-0748 MEDIUM

CVE-2026-0748: Access bypass in Drupal 7 i18n_node translation UI

Vendor Drupal
Product Internationalization (i18n) - i18n_node submodule
Weakness CWE-284
Published March 26, 2026
Last update March 27, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

What the vulnerability does

01Description

In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.

Explanation of Vulnerability in Simple Terms

02Summary

The i18n_node submodule in Drupal's Internationalization module versions 7.x-1.0 through 7.x-1.35 contains an access control flaw. A logged-in user with low privileges can access or modify content they should not have permission to view or edit. The vulnerability requires an active user account but no special interaction from other users.

What an attacker can do

03Attacker Capabilities

Access or modify content that should be restricted to higher-privilege users.

Potential impact on your site

04Site Impact

Unauthorized users may read or alter multilingual node content beyond their assigned permissions.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the Drupal site.

Key dates

06Disclosure timeline

March 26, 2026 CVE published
March 27, 2026 Record updated

Related vulnerabilities

08Related CVE