CVE-2026-32730
published 2026-03-18CVE-2026-32730: ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in…
PriorityP350high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.36%
28.1th percentile
ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were NOT — to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apostrophecms | apostrophe | < 4.28.0 | 4.28.0 |
| apostrophecms | apostrophe | >= 0 < 4.28.0 | 4.28.0 |
| apostrophecms | apostrophecms | < 4.28.0 | 4.28.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
ghsa·2026-03-18
CVE-2026-32730 [HIGH] CWE-287 ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
# MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
## Summary
The bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were NOT — to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement.
## Severity
The AC is High because the attacker must first obtain the victim's password. However, the entire purpose of MFA is to protect accounts when passwords
OSV
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
osv·2026-03-18
CVE-2026-32730 [HIGH] ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
# MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
## Summary
The bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were NOT — to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement.
## Severity
The AC is High because the attacker must first obtain the victim's password. However, the entire purpose of MFA is to protect accounts when passwords
No detection rules found.
No public exploits indexed.
2026-03-18
Published