{"id":"DRUPAL-CONTRIB-2026-034","details":"Node view permissions module enables permissions \"View own content\" and \"View any content\" for each content type on permissions page  \nThe module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user.  \nThis vulnerability is mitigated by the fact that only private contents where anonymous should not have view access are affected, and only if a node was reassigned to the anonymous user.","aliases":["CVE-2026-8491"],"modified":"2026-05-13T19:00:23.164973Z","published":"2026-05-13T17:16:59Z","references":[{"type":"WEB","url":"https://www.drupal.org/sa-contrib-2026-034"}],"affected":[{"package":{"name":"drupal/node_view_permissions","ecosystem":"Packagist:https://packages.drupal.org/8","purl":"pkg:composer/drupal/node_view_permissions"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.7.0"}],"database_specific":{"constraint":"\u003c1.7.0"}},{"type":"ECOSYSTEM","events":[{"introduced":"2.0.0"},{"fixed":"2.0.1"}],"database_specific":{"constraint":"\u003e=2.0.0 \u003c2.0.1"}}],"database_specific":{"source":"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/node_view_permissions/DRUPAL-CONTRIB-2026-034.json","affected_versions":"\u003c1.7.0 || \u003e=2.0.0 \u003c2.0.1"}}],"schema_version":"1.7.5","credits":[{"name":"Adam Shepherd (adamps)","contact":["https://www.drupal.org/u/adamps"]}]}