Description
ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were NOT — to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue.
Published: 2026-03-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: MFA bypass leading to unauthorized access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from an incorrect MongoDB query in the bearer token authentication middleware. Tokens that have a valid password but do not satisfy the Time‑Based One‑Time Password (TOTP) or other multi‑factor authentication (MFA) requirement are mistakenly accepted as fully authenticated. Consequently an attacker who obtains or crafts such an incomplete token can gain full access to the site with the privileges of the account whose credentials were used, bypassing all MFA enforcement. This enables unauthorized read, write or administrative operations, compromising confidentiality, integrity, and availability of the CMS content and configuration.

Affected Systems

The flaw affects ApostropheCMS deployments built with the open‑source framework up to version 4.27.x. Packages using the @apostrophecms/login‑totp module or any custom afterPasswordVerified login requirement are vulnerable. The update delivered in version 4.28.0 corrects the query and restores MFA enforcement.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability. The EPSS score is less than 1 %, suggesting that, while highly impactful, the probability of large‑scale exploitation currently appears low, and the issue has not yet entered the CISA Known Exploited Vulnerabilities catalog. An attacker can exploit the flaw remotely by presenting a bearer token that passes password verification but fails MFA checks, and no additional credentials or local access are required. The attack vector is therefore remote. Because the weakness resides in the server‑side authentication logic, a successful exploit immediately grants full administrative access to the application.

Generated by OpenCVE AI on March 24, 2026 at 22:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ApostropheCMS to version 4.28.0 or later to apply the fix
  • Verify that the @apostrophecms/login-totp module and any custom afterPasswordVerified logic are enabled and functioning after the upgrade
  • If upgrading immediately is not feasible, block or monitor bearer token authentication until a patch is applied, and consider disabling unauthenticated token usage
  • Review and tighten token validation logic in custom code to prevent acceptance of incomplete tokens
  • Monitor authentication logs for unusual or repeated failed MFA attempts and investigate promptly

Generated by OpenCVE AI on March 24, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v9xm-ffx2-7h35 ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
History

Tue, 24 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apostrophecms:apostrophecms:*:*:*:*:*:*:*:*

Thu, 19 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apostrophecms
Apostrophecms apostrophecms
Vendors & Products Apostrophecms
Apostrophecms apostrophecms

Wed, 18 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
Description ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were NOT — to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue.
Title ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
Weaknesses CWE-287
CWE-305
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Apostrophecms Apostrophecms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T16:12:15.179Z

Reserved: 2026-03-13T15:02:00.626Z

Link: CVE-2026-32730

cve-icon Vulnrichment

Updated: 2026-03-19T16:12:06.803Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T23:17:29.370

Modified: 2026-03-24T21:34:09.467

Link: CVE-2026-32730

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:51:57Z

Weaknesses