CVE-2026-0748 is an improper access control vulnerability (CWE-284) found in the Drupal 7 Internationalization (i18n) module, specifically within the i18n_node submodule. This submodule facilitates content translation management in Drupal sites. The flaw arises because users granted both 'Translate content' and 'Administer content translations' permissions can leverage the translation user interface and its autocomplete widget to view and attach unpublished nodes, which should normally be restricted. This bypasses intended access controls, resulting in unauthorized disclosure of unpublished node titles and node IDs. The vulnerability affects all versions from 7.x-1.0 up to and including 7.x-1.35. The issue does not require additional user interaction or elevated privileges beyond the specified permissions, and it can be exploited remotely over the network. Although the vulnerability does not expose full unpublished content or allow modification, the leakage of unpublished node metadata can facilitate further attacks such as targeted content manipulation or information gathering. No public exploits have been reported to date. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond the stated permissions, no user interaction, and low impact on confidentiality with no impact on integrity or availability. This vulnerability highlights the importance of strict access control enforcement in content management systems, especially in modules handling translations and unpublished content.

The primary impact of CVE-2026-0748 is the unauthorized disclosure of unpublished node titles and IDs, which compromises confidentiality. Organizations using Drupal 7 with the affected i18n_node submodule may inadvertently expose sensitive or draft content metadata to users who should not have access. This information leakage can aid attackers or malicious insiders in reconnaissance activities, enabling them to identify unpublished content for targeted attacks, social engineering, or content manipulation. While the vulnerability does not allow direct content modification or availability disruption, the exposure of unpublished node information undermines content privacy and editorial workflows. For organizations relying on Drupal for public-facing or internal websites, this could lead to premature disclosure of sensitive information or intellectual property. The impact is more significant for entities with strict content control requirements such as government agencies, media companies, and enterprises managing confidential data. Since exploitation requires specific permissions, the risk is mitigated somewhat by proper role assignment, but insider threats or compromised accounts with these permissions remain a concern.

To mitigate CVE-2026-0748, organizations should first audit and restrict the 'Translate content' and 'Administer content translations' permissions to only trusted users who require them for their roles. Minimizing the number of users with these permissions reduces the attack surface. Administrators should monitor and review user roles regularly to prevent privilege creep. Applying updates or patches from Drupal or the module maintainers as soon as they become available is critical; if no official patch exists yet, consider disabling the i18n_node submodule temporarily if translation features are not essential. Additionally, implement strict access control policies and consider custom access control modules or hooks to enforce unpublished content restrictions more robustly. Logging and alerting on unusual access to translation interfaces or unpublished content can help detect exploitation attempts. Finally, conduct security awareness training for users with translation permissions to recognize and report suspicious activities.