VYPR
← All advisories
Unrated severityNVD Advisory· Published May 19, 2026

CVE-2026-8491

CVE-2026-8491

Description

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing.

This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Node View Permissions module for Drupal fails to properly check access when user content is reassigned to anonymous, allowing forceful browsing of private nodes.

Vulnerability

Overview

The Node View Permissions module for Drupal provides per-content-type view permissions such as "View own content" and "View any content". A vulnerability exists due to an improper check for unusual or exceptional conditions when a user account is cancelled and their content is reassigned to the anonymous user. The module does not sufficiently handle this reassignment, leading to a forceful browsing issue [1].

Exploitation

Conditions

Exploitation is limited to private content where the anonymous user should not normally have view access. The attack surface is further constrained to nodes that have been reassigned to the anonymous user, typically after a user cancellation. No authentication is required for the anonymous user to attempt viewing such content [1].

Impact

An anonymous attacker can bypass intended access restrictions and view private content that should be hidden. This constitutes an access bypass vulnerability, potentially exposing sensitive information [1].

Mitigation

The vulnerability is patched in Node View Permissions versions 1.7.0 (for the 8.x-1.x branch) and 2.0.1 (for the 2.x branch). Users running earlier versions should upgrade immediately. No workaround is provided in the advisory [1].

References
  1. Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Drupal/Node View Permissionsinferred2 versions
    >=0.0.0,<1.7.0 || >=2.0.0,<2.0.1+ 1 more
    • (no CPE)range: >=0.0.0,<1.7.0 || >=2.0.0,<2.0.1
    • (no CPE)range: >=0.0.0 <1.7.0, >=2.0.0 <2.0.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.