What the vulnerability does
01Description
In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs.
Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.
Explanation of Vulnerability in Simple Terms
02Summary
The i18n_node submodule in Drupal's Internationalization module versions 7.x-1.0 through 7.x-1.35 contains an access control flaw. A logged-in user with low privileges can access or modify content they should not have permission to view or edit. The vulnerability requires an active user account but no special interaction from other users.
What an attacker can do
03Attacker Capabilities
Access or modify content that should be restricted to higher-privilege users.
Potential impact on your site
04Site Impact
Unauthorized users may read or alter multilingual node content beyond their assigned permissions.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the Drupal site.
Key dates
06Disclosure timeline
March 26, 2026
CVE published
March 27, 2026
Record updated