Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029 - Security-news

11 Mar 2026


      View online: https://www.drupal.org/sa-contrib-2026-029
Project: Unpublished Node Permissions [1]
Date: 2026-March-11
Security risk: *Critical* 15 ∕ 25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Affected versions: <1.7.0
Description: 
This module creates permissions per node content type to control access to
unpublished nodes per content type.
The module does not consistently control access for unpublished translated
nodes.
Solution: 
Install the latest version:
* If you use the Unpublished Node Permissions module, upgrade to Unpublished
    Node Permissions 8.x-1.7 [3].
Reported By: 
  * Andre Groendijk (groendijk) [4]
Fixed By: 
  * Fabien Gutknecht (fabsgugu) [5]
Coordinated By: 
  * Greg Knaddison (greggles) [6] of the Drupal Security Team
  * Juraj Nemec (poker10) [7] of the Drupal Security Team
  * Jess  (xjm) [8] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [9]
[1] https://www.drupal.org/project/unpublished_node_permissions
[2] https://www.drupal.org/security-team/risk-levels
[3]  
https://www.drupal.org/project/unpublished_node_permissions/releases/8.x-1.7
[4] https://www.drupal.org/u/groendijk
[5] https://www.drupal.org/u/fabsgugu
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
[8] https://www.drupal.org/u/xjm
[9]  
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....