What the vulnerability does
01Description
Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.
CVE-2026-4933
CVE-2026-4933: Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029
CVSS base score
—
Explanation of Vulnerability in Simple Terms
02Summary
The Unpublished Node Permissions module for Drupal contains an authorization flaw that allows users to access or modify unpublished nodes beyond their intended permissions. The vulnerability stems from incorrect permission checks when handling unpublished content. Administrators should update to version 1.7.0 or later to resolve this issue.
What an attacker can do
03Attacker Capabilities
Access or modify unpublished nodes that should be restricted to specific users.
Potential impact on your site
04Site Impact
Unpublished content may be exposed to unauthorized users, risking data leakage or unintended modifications.
Conditions required to exploit
05Prerequisites
User must have some level of access to the Drupal site; specific privilege requirements unknown.
Key dates
06Disclosure timeline
March 26, 2026
CVE published
March 30, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2026-4639 Galaxy Software Services|Vitals ESP - Incorrect Authorization
CVE-2020-7300 DLP ePO extension - Improper Authorization
CVE-2025-30163 Node based network policies may incorrectly allow workload traffic
CVE-2026-53807 OpenClaw < 2026.5.6 - Authorization Bypass in Telegram Interactive Callbacks via commands.allowFrom
CVE-2016-9575
