Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029

Wed, 2026-03-11 09:35 — Anonymous (not verified)

Project: Unpublished Node PermissionsDate: 2026-March-11Security risk: Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.7.0Description: This module creates permissions per node content type to control access to unpublished nodes per content type.
The module does not consistently control access for unpublished translated nodes.Solution: Install the latest version:

If you use the Unpublished Node Permissions module, upgrade to Unpublished Node Permissions 8.x-1.7.

Reported By:

Andre Groendijk (groendijk)

Fixed By:

Fabien Gutknecht (fabsgugu)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Jess (xjm) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-029

Search form

Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029