Auth bypass in Drupal Unpublished Node Permissions

CVE-2026-4933

Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.

Vulnerability class: Broken Access Control

EPSS: 0.001 (16.3th percentile) — read the EPSS interpretation.

Affected products

Drupal Unpublished Node Permissions — versions 0.0.0

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

www.drupal.org/sa-contrib-2026-029