diff --git a/core/modules/content_moderation/content_moderation.module b/core/modules/content_moderation/content_moderation.module
index 3481c243e1..d8c1e30a40 100644
--- a/core/modules/content_moderation/content_moderation.module
+++ b/core/modules/content_moderation/content_moderation.module
@@ -21,6 +21,7 @@
 use Drupal\Core\Routing\RouteMatchInterface;
 use Drupal\Core\Session\AccountInterface;
 use Drupal\Core\Url;
+use Drupal\node\NodeInterface;
 use Drupal\workflows\WorkflowInterface;
 use Drupal\Core\Action\Plugin\Action\PublishAction;
 use Drupal\Core\Action\Plugin\Action\UnpublishAction;
@@ -319,3 +320,32 @@ function content_moderation_workflow_update(WorkflowInterface $entity) {
   // Clear field cache so extra field is added or removed.
   \Drupal::service('entity_field.manager')->clearCachedFieldDefinitions();
 }
+
+/**
+ * Implements hook_node_access_records().
+ */
+function content_moderation_node_access_records(NodeInterface $node) {
+  $grants = [];
+  if (!$node->isPublished()) {
+    // User has bypass permission.
+    $grants[] = [
+      'realm' => 'content_moderation_view_any_unpublished',
+      'gid' => 0,
+      'grant_view' => 1,
+      'grant_update' => 0,
+      'grant_delete' => 0,
+    ];
+    return $grants;
+  }
+}
+
+/**
+ * Implements hook_node_grants().
+ */
+function content_moderation_node_grants(AccountInterface $account, $op) {
+  $grants = [];
+  if ($op == 'view' && $account->hasPermission('view any unpublished content')) {
+    $grants['content_moderation_view_any_unpublished'][] = 0;
+  }
+  return $grants;
+}