DRUPAL-CONTRIB-2026-034

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/node_view_permissions/DRUPAL-CONTRIB-2026-034.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-034

Aliases

CVE-2026-8491

Published

2026-05-13T17:16:59Z

Modified

2026-05-13T19:00:23.164973Z

Summary

[none]

Details

Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page
The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user.
This vulnerability is mitigated by the fact that only private contents where anonymous should not have view access are affected, and only if a node was reassigned to the anonymous user.

References

https://www.drupal.org/sa-contrib-2026-034

Credits

- Adam Shepherd (adamps)
- - https://www.drupal.org/u/adamps

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/node_view_permissions

Package

Name: drupal/node_view_permissions
Purl: pkg:composer/drupal/node_view_permissions

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.7.0

Database specific

{
    "constraint": "<1.7.0"
}

Type

ECOSYSTEM

Events

Introduced

2.0.0

Fixed

2.0.1

Database specific

{
    "constraint": ">=2.0.0 <2.0.1"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/node_view_permissions/DRUPAL-CONTRIB-2026-034.json"

affected_versions

"<1.7.0 || >=2.0.0 <2.0.1"