CVE-2026-8491PATCHED

drupal · node view permissions

Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034

Description

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1.

Affected Products

Vendor	Product	Versions
drupal	node view permissions	0.0.0, 2.0.0

References

https://www.drupal.org/sa-contrib-2026-034

Related News (2 articles)

Tier C

VulDB39d ago

CVE-2026-8491 | Node View Permissions up to 1.6.x/2.0.0 on Drupal unusual condition (sa-contrib-2026-034)

→ No new info (linked only)

Tier B

BSI Advisories43d ago

[UPDATE] [mittel] Drupal Extensions: Mehrere Schwachstellen

→ No new info (linked only)

CVSS 3.13.7 LOW

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

1.7.02.0.1

CWECWE-754

PublishedMay 19, 2026

Last enriched39d agov2

Trending Score1

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALPRE-CVE

Critical SQL Injection and Access Bypass Vulnerabilities in Drupal Geolocation Field and WissKI Modules

Trending: 20

CRITICALPRE-CVE

Multiple vulnerabilities in Drupal core and contributed modules

Trending: 9

CRITICALCVE-2026-9082EXPKEV

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Trending: 4

CRITICALPRE-CVEEXP

Multiple Vulnerabilities in Various Drupal Extensions

Trending: 2

CRITICALPRE-CVE

Critical Arbitrary PHP Code Execution in Drupal AlternativeCommerce (Basket)

Trending: 1

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 19, 2026

Discovered by ZDM

May 19, 2026

Updated: affectedVersions, severity

May 20, 2026

Patch Available

May 20, 2026

Version History

Last enriched 39d ago

v2Tier C39d ago

Updated affected versions to include 1.6.x, changed severity to MEDIUM, and noted that no exploit exists.

affectedVersionsseverity

via VulDB

v139d ago

Initial creation