{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-0748","assignerOrgId":"2c85b837-eb8b-40ed-9d74-228c62987387","state":"PUBLISHED","assignerShortName":"drupal","dateReserved":"2026-01-08T19:50:35.556Z","datePublished":"2026-03-26T21:17:37.769Z","dateUpdated":"2026-03-27T13:55:09.117Z"},"containers":{"cna":{"providerMetadata":{"orgId":"2c85b837-eb8b-40ed-9d74-228c62987387","shortName":"drupal","dateUpdated":"2026-03-26T21:17:37.769Z"},"title":"Access bypass in Drupal 7 i18n_node translation UI","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-284","description":"CWE-284 Improper Access Control","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-233","descriptions":[{"lang":"en","value":"CAPEC-233 Privilege Abuse"}]}],"affected":[{"vendor":"Drupal","product":"Internationalization (i18n) - i18n_node submodule","collectionURL":"https://www.drupal.org/project/i18n","packageName":"i18n_node","repo":"https://git.drupalcode.org/project/i18n","versions":[{"status":"affected","version":"7.x-1.0","lessThanOrEqual":"7.x-1.35","versionType":"custom"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \n\nExploit affects versions 7.x-1.0 up to and including 7.x-1.35.","supportingMedia":[{"type":"text/html","base64":false,"value":"In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. <br><br>Exploit affects versions 7.x-1.0 up to and including 7.x-1.35."}]}],"references":[{"url":"https://www.herodevs.com/vulnerability-directory/cve-2026-0748","tags":["third-party-advisory"]},{"url":"https://d7es.tag1.com/node/86","tags":["third-party-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","subConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"MEDIUM","baseScore":5.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"}}],"credits":[{"lang":"en","value":"Tatár Balázs János (tatarbj)","type":"finder"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"references":[{"url":"https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-27T13:32:21.676472Z","id":"CVE-2026-0748","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-27T13:55:09.117Z"}}]}}