{"api_version":"1","generated_at":"2026-04-23T06:08:36+00:00","cve":"CVE-2026-0748","urls":{"html":"https://cve.report/CVE-2026-0748","api":"https://cve.report/api/cve/CVE-2026-0748.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-0748","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-0748"},"summary":{"title":"Access bypass in Drupal 7 i18n_node translation UI","description":"In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \n\nExploit affects versions 7.x-1.0 up to and including 7.x-1.35.","state":"PUBLISHED","assigner":"drupal","published_at":"2026-03-26 22:16:27","updated_at":"2026-04-01 16:22:14"},"problem_types":["CWE-284","CWE-276","CWE-284 CWE-284 Improper Access Control"],"metrics":[{"version":"4.0","source":"mlhess@drupal.org","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"5.3","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N","data":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":5.3,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"}},{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"https://www.herodevs.com/vulnerability-directory/cve-2026-0748","name":"https://www.herodevs.com/vulnerability-directory/cve-2026-0748","refsource":"mlhess@drupal.org","tags":["Exploit","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7","name":"https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://d7es.tag1.com/node/86","name":"https://d7es.tag1.com/node/86","refsource":"mlhess@drupal.org","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-0748","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0748","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Drupal","product":"Internationalization (i18n) - i18n_node submodule","version":"affected 7.x-1.0 7.x-1.35 custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Tatár Balázs János (tatarbj)","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"748","vulnerable":"1","versionEndIncluding":"7.x-1.35","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"internationalization_project","cpe5":"internationalization","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"drupal","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"748","cve":"CVE-2026-0748","epss":"0.000260000","percentile":"0.073030000","score_date":"2026-04-05","updated_at":"2026-04-06 00:05:32"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-0748","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-03-27T13:32:21.676472Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-03-27T13:55:09.117Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://www.herodevs.com/vulnerability-directory/cve-2026-0748?nes-for-drupal-7"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://www.drupal.org/project/i18n","defaultStatus":"unaffected","packageName":"i18n_node","product":"Internationalization (i18n) - i18n_node submodule","repo":"https://git.drupalcode.org/project/i18n","vendor":"Drupal","versions":[{"lessThanOrEqual":"7.x-1.35","status":"affected","version":"7.x-1.0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Tatár Balázs János (tatarbj)"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. <br><br>Exploit affects versions 7.x-1.0 up to and including 7.x-1.35."}],"value":"In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \n\nExploit affects versions 7.x-1.0 up to and including 7.x-1.35."}],"impacts":[{"capecId":"CAPEC-233","descriptions":[{"lang":"en","value":"CAPEC-233 Privilege Abuse"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":5.3,"baseSeverity":"MEDIUM","exploitMaturity":"NOT_DEFINED","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-284","description":"CWE-284 Improper Access Control","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-26T21:17:37.769Z","orgId":"2c85b837-eb8b-40ed-9d74-228c62987387","shortName":"drupal"},"references":[{"tags":["third-party-advisory"],"url":"https://www.herodevs.com/vulnerability-directory/cve-2026-0748"},{"tags":["third-party-advisory"],"url":"https://d7es.tag1.com/node/86"}],"source":{"discovery":"UNKNOWN"},"title":"Access bypass in Drupal 7 i18n_node translation UI","x_generator":{"engine":"Vulnogram 0.5.0"}}},"cveMetadata":{"assignerOrgId":"2c85b837-eb8b-40ed-9d74-228c62987387","assignerShortName":"drupal","cveId":"CVE-2026-0748","datePublished":"2026-03-26T21:17:37.769Z","dateReserved":"2026-01-08T19:50:35.556Z","dateUpdated":"2026-03-27T13:55:09.117Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-26 22:16:27","lastModifiedDate":"2026-04-01 16:22:14","problem_types":["CWE-284","CWE-276","CWE-284 CWE-284 Improper Access Control"],"metrics":{"cvssMetricV40":[{"source":"mlhess@drupal.org","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:internationalization_project:internationalization:*:*:*:*:*:drupal:*:*","versionStartIncluding":"7.x-1.0","versionEndIncluding":"7.x-1.35","matchCriteriaId":"7CA4C6BB-F2EE-4207-95F1-BADE7B086C4F"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"748","Ordinal":"1","Title":"Access bypass in Drupal 7 i18n_node translation UI","CVE":"CVE-2026-0748","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"748","Ordinal":"1","NoteData":"In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both \"Translate content\" and \"Administer content translations\" permissions to view and attach unpublished nodes via the translation UI and its autocomplete widget. This bypasses intended access controls and discloses unpublished node titles and IDs. \n\nExploit affects versions 7.x-1.0 up to and including 7.x-1.35.","Type":"Description","Title":"Access bypass in Drupal 7 i18n_node translation UI"}]}}}