CVE-2017-6930
Description
In Drupal 8.4.x before 8.4.5, the untranslated version of a node is used as a fallback for access queries on multilingual sites, leading to an access bypass.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Drupal 8.4.x before 8.4.5, the untranslated version of a node is used as a fallback for access queries on multilingual sites, leading to an access bypass.
Vulnerability
In Drupal versions 8.4.x before 8.4.5, when using node access controls with a multilingual site, Drupal incorrectly marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. The vulnerability is mitigated by the fact that it only applies to sites that use the Content Translation module and a node access module such as Domain Access which implements hook_node_access_records() [1][2].
Exploitation
An attacker must have access to a multilingual Drupal site that uses the Content Translation module and a node access module (e.g., Domain Access). The attacker can exploit the bug by targeting nodes that have not been fully translated into a particular language. The system will fall back to the untranslated version, bypassing node access restrictions that were intended for that language. No authentication or special privileges are required beyond the ability to view nodes on the site [2][3].
Impact
Successful exploitation allows an attacker to view restricted content (information disclosure) that they should not have access to. The attacker may also be able to interact with content in ways normally prohibited by node access controls. The impact is limited to sites meeting the specific configuration prerequisites [2][3].
Mitigation
Drupal 8.4.5, released on 2018-03-01, fixes this vulnerability. Users should upgrade to version 8.4.5 or later. There is no known workaround for sites that cannot immediately upgrade. The issue does not affect Drupal 7 [2][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.4.0, < 8.4.5 | 8.4.5 |
drupal/drupalPackagist | >= 8.4.0, < 8.4.5 | 8.4.5 |
Affected products
3- ghsa-coords2 versions
>= 8.4.0, < 8.4.5+ 1 more
- (no CPE)range: >= 8.4.0, < 8.4.5
- (no CPE)range: >= 8.4.0, < 8.4.5
- Range: 8.4.x versions before 8.4.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-3327-jr93-7hq3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-6930ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6930.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6930.yamlghsaWEB
- www.drupal.org/sa-core-2018-001ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.