CVE-2026-4933 PUBLISHED

Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0.

• Andre Groendijk (groendijk) finder
• Fabien Gutknecht (fabsgugu) remediation developer
• Greg Knaddison (greggles) coordinator
• Juraj Nemec (poker10) coordinator
• Jess (xjm) coordinator

• https://www.drupal.org/sa-contrib-2026-029

• CWE-863 Incorrect Authorization CWE

• CAPEC-87 Forceful Browsing