CVE-2009-2077 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2077): Drupal 6.x before 6.x-2.6, a module for Drupal, allows remote authenticated users to bypass access restrictions and (1) read unpublished content from anonymous users when a view is already configured to display the content, and (2) read private content in generated queries.
This issue exists in the "Views for Drupal" module which we do not ship. Mailed coley about the CVE description.