CVE-2026-0748 (GCVE-0-2026-0748)

Vulnerability from cvelistv5 – Published: 2026-03-26 21:17 – Updated: 2026-03-27 13:55
VLAI?
Title
Access bypass in Drupal 7 i18n_node translation UI
Summary
In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. Exploit affects versions 7.x-1.0 up to and including 7.x-1.35.
Severity ?
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
CWE
  • CWE-284 - Improper Access Control
Assigner
References
Impacted products
Vendor Product Version
Drupal Internationalization (i18n) - i18n_node submodule Affected: 7.x-1.0 , ≤ 7.x-1.35 (custom)
Create a notification for this product.
Credits
Tatár Balázs János (tatarbj)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0748",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T13:32:21.676472Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T13:55:09.117Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/i18n",
          "defaultStatus": "unaffected",
          "packageName": "i18n_node",
          "product": "Internationalization (i18n) - i18n_node submodule",
          "repo": "https://git.drupalcode.org/project/i18n",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThanOrEqual": "7.x-1.35",
              "status": "affected",
              "version": "7.x-1.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Tat\u00e1r Bal\u00e1zs J\u00e1nos (tatarbj)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \u003cbr\u003e\u003cbr\u003eExploit affects versions 7.x-1.0 up to and including 7.x-1.35."
            }
          ],
          "value": "In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \n\nExploit affects versions 7.x-1.0 up to and including 7.x-1.35."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T21:17:37.769Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-0748"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://d7es.tag1.com/node/86"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Access bypass in Drupal 7 i18n_node translation UI",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2026-0748",
    "datePublished": "2026-03-26T21:17:37.769Z",
    "dateReserved": "2026-01-08T19:50:35.556Z",
    "dateUpdated": "2026-03-27T13:55:09.117Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-0748\",\"sourceIdentifier\":\"mlhess@drupal.org\",\"published\":\"2026-03-26T22:16:27.100\",\"lastModified\":\"2026-03-30T13:26:50.827\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \\\"Translate content\\\" and \\\"Administer content translations\\\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \\n\\nExploit affects versions 7.x-1.0 up to and including 7.x-1.35.\"},{\"lang\":\"es\",\"value\":\"En el m\u00f3dulo Internationalization (i18n) de Drupal 7, el subm\u00f3dulo i18n_node permite a un usuario con ambos permisos de \u0027Traducir contenido\u0027 y \u0027Administrar traducciones de contenido\u0027 ver y adjuntar nodos no publicados a trav\u00e9s de la interfaz de usuario de traducci\u00f3n y su widget de autocompletado. Esto elude los controles de acceso previstos y revela los t\u00edtulos e IDs de nodos no publicados. El exploit afecta a las versiones 7.x-1.0 hasta la 7.x-1.35 inclusive.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"mlhess@drupal.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"mlhess@drupal.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"references\":[{\"url\":\"https://d7es.tag1.com/node/86\",\"source\":\"mlhess@drupal.org\"},{\"url\":\"https://www.herodevs.com/vulnerability-directory/cve-2026-0748\",\"source\":\"mlhess@drupal.org\"},{\"url\":\"https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-0748\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-27T13:32:21.676472Z\"}}}], \"references\": [{\"url\": \"https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-27T13:32:14.892Z\"}}], \"cna\": {\"title\": \"Access bypass in Drupal 7 i18n_node translation UI\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Tat\\u00e1r Bal\\u00e1zs J\\u00e1nos (tatarbj)\"}], \"impacts\": [{\"capecId\": \"CAPEC-233\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-233 Privilege Abuse\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://git.drupalcode.org/project/i18n\", \"vendor\": \"Drupal\", \"product\": \"Internationalization (i18n) - i18n_node submodule\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.x-1.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"7.x-1.35\"}], \"packageName\": \"i18n_node\", \"collectionURL\": \"https://www.drupal.org/project/i18n\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.herodevs.com/vulnerability-directory/cve-2026-0748\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://d7es.tag1.com/node/86\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \\\"Translate content\\\" and \\\"Administer content translations\\\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \\n\\nExploit affects versions 7.x-1.0 up to and including 7.x-1.35.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \\\"Translate content\\\" and \\\"Administer content translations\\\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \u003cbr\u003e\u003cbr\u003eExploit affects versions 7.x-1.0 up to and including 7.x-1.35.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284 Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"2c85b837-eb8b-40ed-9d74-228c62987387\", \"shortName\": \"drupal\", \"dateUpdated\": \"2026-03-26T21:17:37.769Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-0748\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-27T13:55:09.117Z\", \"dateReserved\": \"2026-01-08T19:50:35.556Z\", \"assignerOrgId\": \"2c85b837-eb8b-40ed-9d74-228c62987387\", \"datePublished\": \"2026-03-26T21:17:37.769Z\", \"assignerShortName\": \"drupal\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.