Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034

Project:

Node View Permissions

Date:

2026-May-13

Security risk:

Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability:

Access bypass

Affected versions:

<1.7.0 || >=2.0.0 <2.0.1

CVE IDs:

CVE-2026-8491

Description:

Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page
The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user.
This vulnerability is mitigated by the fact that only private contents where anonymous should not have view access are affected, and only if a node was reassigned to the anonymous user.

Solution:

Install the latest version:

If you use the Node View Permissions module version 2.0.0. or prior, upgrade to 2.0.1.
If you use the Node View Permissions module version 8.x-1.6. or prior, upgrade to 8.x-1.7.

Reported By:

Adam Shepherd (adamps)

Fixed By:

Bálint Nagy (nagy.balint)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Contribution record

Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community