Authorization Bypass Vulnerability in ApostropheCMS
CVE-2026-33888

5.3MEDIUM

Key Information:

Vendor

Apostrophecms

Status
Apostrophe
Vendor
CVE Published:
15 April 2026

What is CVE-2026-33888?

ApostropheCMS, an open-source Node.js content management system, is susceptible to an authorization bypass in the getRestQuery method of the @apostrophecms/piece-type module. This vulnerability occurs when the method inadequately checks if a MongoDB projection has been predetermined before executing the admin-configured publicApiProjection. As a result, an unauthenticated user can manipulate the project query parameter in a REST API request, enabling access to sensitive fields within public documents that should be restricted, such as internal notes, draft content, or metadata. The issue is easily exploitable, requiring only the addition of specific query parameters to a public URL without any form of authentication. This vulnerability has been patched in version 4.29.0.

Affected Version(s)

apostrophe < 4.29.0

References

https://github.com/apostrophecms/apostrophe/security/advi...
x_refsource_CONFIRM
https://github.com/apostrophecms/apostrophe/commit/00d472...
x_refsource_MISC
https://github.com/apostrophecms/apostrophe/commit/6c2b54...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.