Platform
drupal
Component
drupal
Fixed in
1.7.0
8.0.1
CVE-2026-4933 describes an Incorrect Authorization vulnerability within Drupal's Unpublished Node Permissions module. This flaw allows attackers to engage in Forceful Browsing, potentially exposing sensitive or confidential unpublished content. The vulnerability affects Drupal versions 8.x prior to 1.7.0, and a patch has been released to address the issue.
The core impact of CVE-2026-4933 lies in the ability for unauthorized users to bypass access controls and view unpublished nodes within a Drupal site. This could expose drafts of content, internal communications, or other sensitive information not intended for public consumption. An attacker could leverage this vulnerability to gain insights into ongoing projects, identify potential vulnerabilities in the content creation process, or even manipulate unpublished content before it is officially published. The blast radius is limited to the content accessible through unpublished nodes, but the potential for data leakage and reputational damage remains significant.
CVE-2026-4933 was publicly disclosed on 2026-03-26. No public proof-of-concept exploits are currently known. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog. Given the nature of the vulnerability (forceful browsing), it is plausible that attackers could attempt to exploit it, particularly in environments with weak access controls.
Exploit Status
EPSS
0.04% (14% percentile)
CVSS Vector
The primary mitigation for CVE-2026-4933 is to immediately upgrade the Unpublished Node Permissions module to version 1.7.0 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing stricter access controls on unpublished nodes, limiting access to only authorized users. Review and audit existing permissions configurations to ensure that only necessary roles have access to unpublished content. While a WAF or proxy cannot directly address this authorization flaw, it can be configured to monitor for suspicious access patterns to unpublished nodes and potentially block unauthorized requests. After upgrade, confirm the fix by attempting to access unpublished nodes with a non-authorized user account.
Update the Unpublished Node Permissions module to version 1.7.0 or higher. This version corrects the incorrect authorization vulnerability that allows forceful browsing of unpublished content.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4933 is an Incorrect Authorization vulnerability in Drupal's Unpublished Node Permissions module, allowing attackers to bypass access controls and view unpublished content.
If you are using Drupal 8.x with the Unpublished Node Permissions module version 0.0.0 before 1.7.0, you are potentially affected by this vulnerability.
Upgrade the Unpublished Node Permissions module to version 1.7.0 or later to remediate the vulnerability. Consider stricter access controls on unpublished nodes as an interim measure.
Currently, there are no known public exploits or confirmed active exploitation campaigns for CVE-2026-4933, but the potential for exploitation exists.
Refer to the official Drupal security advisory for CVE-2026-4933 on the Drupal website for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.