CVE-2026-33888
published 2026-04-15CVE-2026-33888: ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery…
PriorityP335medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.51%
39.7th percentile
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request, which is processed by applyBuildersSafely before the permission check, pre-populating the projection state and causing the publicApiProjection to be skipped entirely. This allows disclosure of any field on publicly queryable documents that the administrator explicitly restricted from the public API, such as internal notes, draft content, or metadata. Exploitation is trivial, requiring only appending query parameters to a public URL with no authentication. This issue has been fixed in version 4.29.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apostrophecms | apostrophe | < 4.29.0 | 4.29.0 |
| apostrophecms | apostrophe | >= 0 < 4.29.0 | 4.29.0 |
| apostrophecms | apostrophecms | < 4.29.0 | 4.29.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API
ghsa·2026-04-16
CVE-2026-33888 [MEDIUM] CWE-200 ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API
ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API
## Summary
The `getRestQuery` method in the `@apostrophecms/piece-type` module checks whether a MongoDB projection has already been set before applying the admin-configured `publicApiProjection`. An unauthenticated attacker can supply a `project` query parameter in the REST API request to pre-populate the projection state, causing the security-enforced `publicApiProjection` to be skipped entirely. This allows disclosure of fields that the site administrator explicitly restricted from public access.
## Details
When an unauthenticated user queries the piece-type REST API, the `getRestQuery` method processes the request at `modules/@apostrophecms/piece-type/index.js:1120`:
```javascript
// piece-ty
VulDB
apostrophe up to 4.28.x piece-type checks authorization (GHSA-xhq9-58fw-859p)
vuldb·2026-04-16·CVSS 5.3
CVE-2026-33888 [MEDIUM] apostrophe up to 4.28.x piece-type checks authorization (GHSA-xhq9-58fw-859p)
A vulnerability classified as problematic has been found in apostrophe up to 4.28.x. This impacts the function checks of the component piece-type Module. The manipulation leads to incorrect authorization.
This vulnerability is traded as CVE-2026-33888. It is possible to initiate the attack remotely. There is no exploit available.
It is recommended to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-15
Published