CVE-2026-8491 Drupal CVE debrief

Who should care

Administrators and maintainers using Drupal Node View Permissions, especially deployments on affected version branches, should review exposure and plan an update.

Technical summary

The issue is described as an improper check for unusual or exceptional conditions, with the resulting impact characterized as forceful browsing. The supplied CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, which aligns with limited confidentiality impact and no integrity or availability impact. The source also lists CWE-754 and a Drupal advisory reference.

Defensive priority

Medium-low. The CVSS score is 3.7 (LOW), but the issue affects access control behavior, so exposed installations should still prioritize patching within normal maintenance cycles.

Recommended defensive actions

• Upgrade Node View Permissions to 1.7.0 or later on the 1.x branch.
• Upgrade Node View Permissions to 2.0.1 or later on the 2.x branch.
• Inventory Drupal sites for installed Node View Permissions versions and confirm which branch is deployed.
• Review whether any unauthorized content access occurred before remediation, especially where node visibility depends on this module.
• Track the Drupal advisory referenced by the NVD record for any follow-up guidance.

Evidence notes

All facts in this debrief are taken from the supplied CVE/NVD data and the referenced Drupal advisory link. The CVE was published at 2026-05-19T23:16:58.740Z and modified at 2026-05-20T18:16:27.980Z. The supplied record identifies the issue as 'Improper Check for Unusual or Exceptional Conditions' affecting Drupal Node View Permissions with the stated version ranges, CVSS score 3.7, vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, and CWE-754. Vendor/product mapping remains low-confidence in the provided data, so the debrief uses the module name directly.

Official resources