As an academic group, we wanted to improve the look and feel of our website on a tight budget. The team at Project Ricochet was consistently responsive to our concerns and willing to help us meet our goals. They were transparent with their costs, which allowed us to pick and choose which features and changes we deemed most important. Thanks to this transparency, our new website is a substantial improvement over the old that we were able to achieve in a cost-effective fashion.
—Justin Inman, UCSF

Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029

Wed, 2026-03-11 09:35 — Anonymous (not verified)

Project: Unpublished Node PermissionsDate: 2026-March-11Security risk: Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.7.0Description: This module creates permissions per node content type to control access to unpublished nodes per content type.
The module does not consistently control access for unpublished translated nodes.Solution: Install the latest version:

If you use the Unpublished Node Permissions module, upgrade to Unpublished Node Permissions 8.x-1.7.

Reported By:

Andre Groendijk (groendijk)

Fixed By:

Fabien Gutknecht (fabsgugu)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Jess (xjm) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-029

Search form

Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029