Plattform
drupal
Komponente
drupal
Behoben in
7.0.1
CVE-2026-0748 is an access control bypass vulnerability discovered in the Drupal 7 Internationalization (i18n) module, specifically the i18n_node submodule. This flaw allows users with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes through the translation UI. The vulnerability impacts Drupal versions 7.x-1.0 through 7.x-1.35, and a patch is available to address the issue.
The primary impact of CVE-2026-0748 is the unauthorized disclosure of unpublished node titles and IDs within a Drupal 7 site. An attacker exploiting this vulnerability could gain insight into content that was intentionally kept private, potentially revealing sensitive information or strategic plans. While the vulnerability doesn't directly lead to code execution or data modification, the exposure of unpublished content could be leveraged for reconnaissance, social engineering, or to inform further attacks. The blast radius is limited to the Drupal site itself and the data accessible through the i18n module’s translation interface.
CVE-2026-0748 was publicly disclosed on 2026-03-26. The vulnerability is not currently listed on CISA KEV. There are no publicly known proof-of-concept exploits available at this time, but the relatively straightforward nature of the bypass suggests that one may emerge. The vulnerability's impact is primarily informational, but the potential for abuse warrants prompt remediation.
Websites running Drupal 7 with the Internationalization (i18n) module installed are at risk. Specifically, sites where users have been granted both "Translate content" and "Administer content translations" permissions are particularly vulnerable, even if those users are not typically involved in content creation.
• wordpress / composer / npm:
grep -r "i18n_node_autocomplete" /var/www/drupal7/• generic web:
curl -I http://your-drupal-site.com/admin/config/regional/i18n-node• generic web: Check Drupal logs for unusual activity related to node translations or access attempts by users with 'Translate content' and 'Administer content translations' permissions.
disclosure
Exploit-Status
EPSS
0.03% (7% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2026-0748 is to upgrade to a patched version of the Drupal i18n module. If upgrading immediately is not feasible, consider temporarily restricting access to the translation UI for users who do not require it. Review user permissions to ensure only authorized personnel have 'Translate content' and 'Administer content translations' roles. Implement a web application firewall (WAF) rule to block requests to the affected translation endpoint, although this is a less robust solution than patching. There are no specific Sigma or YARA rules readily available for this vulnerability.
Actualice el módulo Internationalization (i18n) a una versión posterior a 7.x-1.35. Esto corregirá la vulnerabilidad de omisión de acceso en la interfaz de usuario de traducción i18n_node.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-0748 is a vulnerability in Drupal 7's i18n module allowing users with specific permissions to view unpublished node titles and IDs, bypassing access controls.
You are affected if your Drupal 7 site uses the Internationalization (i18n) module and has users with both 'Translate content' and 'Administer content translations' permissions, versions 7.x-1.0 through 7.x-1.35.
Upgrade the Drupal 7 Internationalization (i18n) module to a patched version. If upgrading is not possible, restrict user permissions to minimize the impact.
There is currently no indication of active exploitation, but the vulnerability's ease of exploitation suggests it could become a target.
Refer to the official Drupal security advisory for detailed information and updates regarding CVE-2026-0748.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.