Cyber Posture

CVE-2026-4933

High

Published: 26 March 2026

Published
26 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0005 15.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4933 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Jeroenb Unpublished Node Permissions. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring timely remediation of the authorization flaw in the Drupal Unpublished Node Permissions module through upgrade to version 1.7.0 or later.

AC-3 Access Enforcement good match
prevent

Enforces system-wide approved authorizations, preventing forceful browsing and unauthorized access to unpublished nodes.

AC-6 Least Privilege partial match
prevent

Applies least privilege to restrict access to unpublished nodes only to authorized users, reducing the impact of authorization bypasses.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Incorrect authorization bypass in public-facing Drupal web app module enables remote unauthenticated forceful browsing for data disclosure, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.

Deeper analysisAI

CVE-2026-4933 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Unpublished Node Permissions module that allows forceful browsing to access unpublished nodes. The issue affects all versions of the module from 0.0.0 before 1.7.0 and was published on 2026-03-26.

Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Successful exploitation enables high-impact unauthorized disclosure of confidential information contained in unpublished nodes, with no impact on integrity or availability.

The Drupal security advisory at https://www.drupal.org/sa-contrib-2026-029 addresses this issue, recommending an upgrade to Unpublished Node Permissions version 1.7.0 or later for mitigation.

Details

CWE(s)
CWE-863

Affected Products

jeroenb
unpublished node permissions
≤ 8.x-1.7

CVEs Like This One

CVE-2026-34376Shared CWE-863
CVE-2026-23989Shared CWE-863
CVE-2026-31887Shared CWE-863
CVE-2026-28808Shared CWE-863
CVE-2026-34532Shared CWE-863
CVE-2026-21309Shared CWE-863
CVE-2026-29087Shared CWE-863
CVE-2026-26308Shared CWE-863
CVE-2024-13277Shared CWE-863
CVE-2026-25875Shared CWE-863

References