ApostropheCMS (a Node.js content management system) contains an authorization bypass vulnerability in the REST API's choices and counts query parameters. The vulnerability arises because these query builders invoke MongoDB's distinct() operation before the publicApiProjection restrictions are applied. As distinct() ignores projections, an unauthenticated attacker can retrieve all distinct values for any schema field that supports a query builder, including string, integer, float, select, boolean, date, slug, and relationship fields. The results bypass both publicApiProjection and removeForbiddenFields, exposing protected data and, in the case of counts, revealing how many documents hold each value. This results in a direct information disclosure that compromises confidentiality for any exposed fields.

Impact extends to all ApostropheCMS installations employing version 4.28.0 or earlier, covering both piece-type and page REST APIs. The vulnerability is resolved in version 4.29.0, which properly applies projection rules before executing distinct queries. Therefore, any deployment using the enumerated vulnerable versions is susceptible until upgraded or otherwise mitigated.

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is unavailable, so the current exploitation probability is unknown but potentially significant due to the ability to reach the vulnerable endpoint without authentication. Since the vulnerability is not listed in the CISA KEV database, there is no public record of exploitation yet; however, the lack of access controls on the affected query parameters constitutes an obvious attack vector for attackers seeking sensitive data. The risk grows with the number of publicly exposed API endpoints and the amount of sensitive fields registered for query building.