CVE-2026-0748: CWE-284 Improper Access Control in Drupal Internationalization (i18n) - i18n_node submodule
CVE-2026-0748 is a medium severity vulnerability in the Drupal 7 Internationalization (i18n) module, specifically the i18n_node submodule. It allows users with both "Translate content" and "Administer content translations" permissions to bypass intended access controls and view unpublished node titles and IDs through the translation UI and its autocomplete widget. This affects versions 7. x-1. 0 through 7. x-1. 35 of the module. There are no known exploits in the wild and no patch information is provided in the available data.
AI Analysis
Technical Summary
The vulnerability in Drupal's i18n_node submodule arises from improper access control (CWE-284). Users granted both "Translate content" and "Administer content translations" permissions can access unpublished nodes via the translation interface, exposing unpublished content metadata that should remain restricted. This issue affects Drupal 7 Internationalization module versions from 7.x-1.0 up to and including 7.x-1.35. The CVSS 4.0 base score is 5.3, indicating a medium severity level. No patch or official remediation details are provided in the available information.
Potential Impact
The vulnerability leads to unauthorized disclosure of unpublished node titles and IDs to users who have specific translation-related permissions. This could result in information leakage of content that is not yet published or intended for public or broader internal access. There is no indication of privilege escalation, code execution, or data modification from the provided data.
Mitigation Recommendations
Patch status is not yet confirmed — check the Drupal vendor advisory for current remediation guidance. Until a fix is available, review and restrict the combination of permissions "Translate content" and "Administer content translations" to trusted users only to limit exposure. Monitor official Drupal security channels for updates or patches addressing this issue.
CVE-2026-0748: CWE-284 Improper Access Control in Drupal Internationalization (i18n) - i18n_node submodule
Description
CVE-2026-0748 is a medium severity vulnerability in the Drupal 7 Internationalization (i18n) module, specifically the i18n_node submodule. It allows users with both "Translate content" and "Administer content translations" permissions to bypass intended access controls and view unpublished node titles and IDs through the translation UI and its autocomplete widget. This affects versions 7. x-1. 0 through 7. x-1. 35 of the module. There are no known exploits in the wild and no patch information is provided in the available data.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Drupal's i18n_node submodule arises from improper access control (CWE-284). Users granted both "Translate content" and "Administer content translations" permissions can access unpublished nodes via the translation interface, exposing unpublished content metadata that should remain restricted. This issue affects Drupal 7 Internationalization module versions from 7.x-1.0 up to and including 7.x-1.35. The CVSS 4.0 base score is 5.3, indicating a medium severity level. No patch or official remediation details are provided in the available information.
Potential Impact
The vulnerability leads to unauthorized disclosure of unpublished node titles and IDs to users who have specific translation-related permissions. This could result in information leakage of content that is not yet published or intended for public or broader internal access. There is no indication of privilege escalation, code execution, or data modification from the provided data.
Mitigation Recommendations
Patch status is not yet confirmed — check the Drupal vendor advisory for current remediation guidance. Until a fix is available, review and restrict the combination of permissions "Translate content" and "Administer content translations" to trusted users only to limit exposure. Monitor official Drupal security channels for updates or patches addressing this issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- drupal
- Date Reserved
- 2026-01-08T19:50:35.556Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c5a8ce3c064ed76fd1dade
Added to database: 3/26/2026, 9:44:46 PM
Last enriched: 4/3/2026, 1:41:04 PM
Last updated: 5/10/2026, 8:43:05 PM
Views: 74
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.