Cyber Resilience

CVE-2026-4933

High

Published: 26 March 2026

Published
26 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0005 16.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4933 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Jeroenb Unpublished Node Permissions. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4933 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Unpublished Node Permissions module that allows forceful browsing to access unpublished nodes. The issue affects all versions of the module from 0.0.0 before 1.7.0 and was published on 2026-03-26.

Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Successful exploitation enables high-impact unauthorized disclosure of confidential information contained in unpublished nodes, with no impact on integrity or availability.

The Drupal security advisory at https://www.drupal.org/sa-contrib-2026-029 addresses this issue, recommending an upgrade to Unpublished Node Permissions version 1.7.0 or later for mitigation.

EU & UK References

Vulnerability details

Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Incorrect authorization bypass in public-facing Drupal web app module enables remote unauthenticated forceful browsing for data disclosure, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21565Shared CWE-863
CVE-2026-46823Shared CWE-863
CVE-2026-44260Shared CWE-863
CVE-2024-13277Shared CWE-863
CVE-2025-30743Shared CWE-863
CVE-2026-30947Shared CWE-863
CVE-2026-34453Shared CWE-863
CVE-2025-54253Shared CWE-863
CVE-2026-34646Shared CWE-863
CVE-2025-10611Shared CWE-863

Affected Assets

jeroenb
unpublished node permissions
≤ 8.x-1.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation of the authorization flaw in the Drupal Unpublished Node Permissions module through upgrade to version 1.7.0 or later.

prevent

Enforces system-wide approved authorizations, preventing forceful browsing and unauthorized access to unpublished nodes.

prevent

Applies least privilege to restrict access to unpublished nodes only to authorized users, reducing the impact of authorization bypasses.

References