Ricochet has been an invaluable partner in the development of our Drupal sites. Working with Casey, he lent a critical eye to our requirements to understand the feature set and objectives. During development, he was able to propose alternative implementations or creative solutions which met the requirements in an elegant and efficient manner. All the while, Casey maintained perspective on the user experience, to ensure that the product was not only bug free, but also easy to use an navigate. Furthermore, I could rely on Casey to keep me informed of issues and status with timely updates.
—Casey C., Future US

Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034

Wed, 2026-05-13 10:16 — Anonymous (not verified)

Project: Node View PermissionsDate: 2026-May-13Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.7.0 || >=2.0.0 <2.0.1CVE IDs: CVE-2026-8491Description: Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page
The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user.
This vulnerability is mitigated by the fact that only private contents where anonymous should not have view access are affected, and only if a node was reassigned to the anonymous user.Solution: Install the latest version:

If you use the Node View Permissions module version 2.0.0. or prior, upgrade to 2.0.1.
If you use the Node View Permissions module version 8.x-1.6. or prior, upgrade to 8.x-1.7.

Reported By:

Adam Shepherd (adamps)

Fixed By:

Bálint Nagy (nagy.balint)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-034

Search form

Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034