Platform
drupal
Component
drupal
Fixed in
7.0.1
CVE-2026-0748 is an access control bypass vulnerability discovered in the Drupal 7 Internationalization (i18n) module, specifically the i18n_node submodule. This flaw allows users with both "Translate content" and "Administer content translations" permissions to view and attach unpublished nodes through the translation UI. The vulnerability impacts Drupal versions 7.x-1.0 through 7.x-1.35, and a patch is available to address the issue.
The primary impact of CVE-2026-0748 is the unauthorized disclosure of unpublished node titles and IDs within a Drupal 7 site. An attacker who possesses the required permissions could leverage this vulnerability to gain insights into content that is not intended to be publicly accessible. This could be used for reconnaissance purposes, potentially revealing sensitive information or identifying targets for further attacks. While the vulnerability doesn't directly lead to code execution, the exposure of unpublished content could compromise the integrity and confidentiality of the website’s data. The potential for data leakage is significant, especially if unpublished nodes contain sensitive information.
CVE-2026-0748 was publicly disclosed on 2026-03-26. There is no indication of this vulnerability being actively exploited or listed on CISA KEV. Public proof-of-concept exploits are currently unavailable, but the vulnerability's ease of exploitation (requiring only specific user permissions) suggests it could become a target for opportunistic attackers.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-0748 is to upgrade the Drupal 7 Internationalization (i18n) module to a patched version. Unfortunately, specific patched versions are not provided in the CVE details. If upgrading is not immediately feasible, consider restricting user permissions to minimize the potential impact. Remove or disable the "Translate content" and "Administer content translations" permissions from users who do not absolutely require them. Review Drupal’s security advisory for further guidance and potential workarounds. Regularly audit user permissions to ensure they align with the principle of least privilege.
Update the Internationalization (i18n) module to a version later than 7.x-1.35. This will correct the access bypass vulnerability in the i18n_node translation UI.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0748 is a vulnerability in Drupal 7's i18n module allowing users with specific permissions to view unpublished node titles and IDs, bypassing access controls.
You are affected if your Drupal 7 site uses the Internationalization (i18n) module and has users with both 'Translate content' and 'Administer content translations' permissions, versions 7.x-1.0 through 7.x-1.35.
Upgrade the Drupal 7 Internationalization (i18n) module to a patched version. If upgrading is not possible, restrict user permissions to minimize the impact.
There is currently no indication of active exploitation, but the vulnerability's ease of exploitation suggests it could become a target.
Refer to the official Drupal security advisory for detailed information and updates regarding CVE-2026-0748.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.