By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2026-0748

Broken Access
Affects
i18n_node in i18n
in
Drupal 7
No items found.
Versions
>=7.1.0 <=7.1.35
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications.

In the i18n_node submodule for Drupal 7, a user with both “Translate content” and “Administer content translations” can see and attach unpublished nodes through the translation tab and its autocomplete. This bypasses intended access controls and exposes unpublished titles and IDs, allowing a translator to link content they shouldn’t be able to view.

Broken Access Control occurs when an application fails to properly enforce restrictions on what authenticated users are allowed to do, enabling attackers to access unauthorized functionality, data, or resources. It often stems from inadequate validation of user permissions, allowing someone to bypass intended security boundaries and perform actions beyond their assigned role.

Any of the following ramifications are possible:

  • Allowing arbitrary code execution
  • Complete system compromise
  • Data theft or exposure
  • Data manipulation or destruction
  • Privilege escalation, and
  • Denial of service.

This issue affects the i18n version 7.1.35 and lower.

Details

Module Info

Vulnerability Info

This medium-severity vulnerability is a Broken Access Control issue found in the i18n_node sub-module of the Drupal 7 Internationalization (i18n) module (versions ≤ 7.1.35).

The flaw allows users with certain translation permissions to bypass intended node access restrictions to view and attach unpublished content. The resulting Information Exposure is addressed in the NES build, which updates the module's translation administration workflow to ensure that unpublished nodes are no longer revealed or attachable to unauthorized users.

Steps To Reproduce

  1. Create a vanilla Drupal 7 installation and install a version of the i18n module that is vulnerable to the exploit, such as 7.1.35.
  2. Install and enable i18n and i18n_node.
  3. Visit Configuration → Regional and language → Languages (admin/config/regional/language/add) to add a second language.
  4. Make “Article” translatable at Structure → Content types → Article → Edit (admin/structure/types/manage/article) then Publishing options → Enabled, with translation.
  5. Create an Article at node/add/article and set it to English. Create another and set it to the second language. Set both to Unpublished. Note their node IDs.
  6. Create the role “Translator” (at admin/people/permissions/roles).
    Add the following permissions (at admin/people/permissions) with exactly these permissions: “Translate content,” “Administer content translations” and “View own unpublished content.” Ensure “bypass node access” is not enabled. Save the permissions. 
  7. Create a user (at admin/people/create) with that role and log in as that user.
  8. Visit node/[unpublished-node-id]/translate: the translation tab shows the unpublished node’s title/ID and links, even though the user shouldn’t see it.
  9. On that page, use the translation autocomplete (below the translation links) to search for another unpublished node’s title: the JSON response returns unpublished titles/IDs and lets you attach them as translations.
  10. Visit the second Article and confirm the same.

Addressing the Issue

Users of the affected components should apply one of the following:

  • Implement custom node access checks via hook_menu_alter().
  • Remove the 'administer content translations' permission until the patched code is installed.
  • Disable the autocomplete function via a hook.
  • Implement a custom callback that intercepts the autocomplete request.
  • Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.

Credits

Pink arrow
Pink arrow
CVE-2025-31687
CVE-2025-31689
SA-CORE-2025-002
SA-CONTRIB-2025-072
SA-CONTRIB-2025-028
CVE-2025-3901
CVE-2025-12848
CVE-2025-3900
CVE-2024-13247
CVE-2025-14556
CVE-2025-14557
CVE-2025-47705
CVE-2026-0750
CVE-2026-0749
CVE-2026-0748
CVE-2025-31675
CVE-2026-1556
CVE-2025-13083
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-0748
PROJECT Affected
i18n_node in i18n
Versions Affected
>=7.1.0 <=7.1.35
NES Versions Affected
Published date
January 29, 2026
≈ Fix date
May 29, 2025
Fixed in
NES for Drupal 7
Category
Broken Access
Sign up for the latest vulnerability alerts fixed in
NES for Drupal 7
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.