View online: https://www.drupal.org/sa-contrib-2026-029 Project: Unpublished Node Permissions [1] Date: 2026-March-11 Security risk: *Critical* 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: <1.7.0 Description:  This module creates permissions per node content type to control access to unpublished nodes per content type. The module does not consistently control access for unpublished translated nodes. Solution:  Install the latest version: * If you use the Unpublished Node Permissions module, upgrade to Unpublished Node Permissions 8.x-1.7 [3]. Reported By:  * Andre Groendijk (groendijk) [4] Fixed By:  * Fabien Gutknecht (fabsgugu) [5] Coordinated By:  * Greg Knaddison (greggles) [6] of the Drupal Security Team * Juraj Nemec (poker10) [7] of the Drupal Security Team * Jess (xjm) [8] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [9] [1] https://www.drupal.org/project/unpublished_node_permissions [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/unpublished_node_permissions/releases/8.x-1.7 [4] https://www.drupal.org/u/groendijk [5] https://www.drupal.org/u/fabsgugu [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/poker10 [8] https://www.drupal.org/u/xjm [9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....