CVE-2026-33888

MEDIUM EPSS 39.8%
Published Apr 15, 20262mo ago · Modified Jun 17, 20261w ago
5.3 CVSS 3.1
Medium
Find Similar
Published Apr 15, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request, which is processed by applyBuildersSafely before the permission check, pre-populating the projection state and causing the publicApiProjection to be skipped entirely. This allows disclosure of any field on publicly queryable documents that the administrator explicitly restricted from the public API, such as internal notes, draft content, or metadata. Exploitation is trivial, requiring only appending query parameters to a public URL with no authentication. This issue has been fixed in version 4.29.0.

CVSS Details

Base Score
5.3
Exploitability
3.9
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
39.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
CWE-863 Incorrect Authorization Authorization

Affected Products 1

VendorProductVersionRange
apostrophecmsapostrophecms* <4.29.0

References 3

  • github.com https://github.com/apostrophecms/apostrophe/commit/00d472804bb622df36a761b6f2cf2b33b2d4ce80
    Patch
  • github.com https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa
    Patch
  • github.com https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-xhq9-58fw-859p
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/apostrophecms/apostrophe/commit/00d472804bb622df36a761b6f2cf2b33b2d4ce80
    Patch
  • github.com https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa
    Patch