Description
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request, which is processed by applyBuildersSafely before the permission check, pre-populating the projection state and causing the publicApiProjection to be skipped entirely. This allows disclosure of any field on publicly queryable documents that the administrator explicitly restricted from the public API, such as internal notes, draft content, or metadata. Exploitation is trivial, requiring only appending query parameters to a public URL with no authentication. This issue has been fixed in version 4.29.0.
Published: 2026-04-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data confidentiality breach
Action: Patch Now
AI Analysis

Impact

ApostropheCMS versions 4.28.0 and earlier suffer an authorization bypass in the getRestQuery method of the @apostrophecms/piece-type module. The bug allows an unauthenticated attacker to supply a project query parameter that is processed before the system’s publicApiProjection check, effectively disabling the admin‑configured projection safeguards. This flaw enables disclosure of fields that administrators have explicitly withheld from the public API, such as internal notes, draft content, or metadata. The weakness is a classic informational disclosure (CWE‑200) compounded by improper authorization checks (CWE‑863). Exploitation is trivial, requiring only an appended query string to a publicly reachable URL.

Affected Systems

ApostropheCMS, open‑source Node.js content‑management system, is affected. All releases up to and including 4.28.0 are vulnerable. The vulnerability was resolved in the 4.29.0 release. No specific edition or platform information is provided beyond the generic product name.

Risk and Exploitability

The CVSS score of 5.3 denotes a moderate severity, with the vulnerability enabling non‑authenticated data exposure. EPSS scoring is not available, so the empirical exploitation probability cannot be quantified from the data. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation reports. The likely attack vector is through any endpoint that accepts a project query parameter in the public REST API, as inferred from the description of the flaw. An attacker can construct a request that includes the project parameter, causing the system to skip the publicApiProjection and return private fields to an unauthenticated client.

Generated by OpenCVE AI on April 15, 2026 at 21:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 4.29.0 or later ApostropheCMS update to eliminate the projection bypass
  • Verify that the publicApiProjection setting is preserved in the updated configuration
  • Review public API permissions and remove any sensitive fields from public queries

Generated by OpenCVE AI on April 15, 2026 at 21:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xhq9-58fw-859p ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API
History

Thu, 16 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Apostrophecms
Apostrophecms apostrophecms
Vendors & Products Apostrophecms
Apostrophecms apostrophecms

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request, which is processed by applyBuildersSafely before the permission check, pre-populating the projection state and causing the publicApiProjection to be skipped entirely. This allows disclosure of any field on publicly queryable documents that the administrator explicitly restricted from the public API, such as internal notes, draft content, or metadata. Exploitation is trivial, requiring only appending query parameters to a public URL with no authentication. This issue has been fixed in version 4.29.0.
Title ApostropheCMS: publicApiProjection Bypass via `project` Query Builder in Piece-Type REST API
Weaknesses CWE-200
CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Apostrophecms Apostrophecms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T20:03:30.594Z

Reserved: 2026-03-24T15:10:05.681Z

Link: CVE-2026-33888

cve-icon Vulnrichment

Updated: 2026-04-15T20:03:24.555Z

cve-icon NVD

Status : Received

Published: 2026-04-15T20:16:35.677

Modified: 2026-04-15T20:16:35.677

Link: CVE-2026-33888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:00:05Z

Weaknesses