CVE-2026-33888Sensitive Information Exposure in Apostrophe

CWE-200Sensitive Information ExposureCWE-863Incorrect Authorization4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 74.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apostrophecms Apostrophe
Timeline
PublishedApr 15
Latest updateApr 16

Description

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request, which is processed by applyBuildersSafely before the permission check,

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5apostrophecms/apostrophe< 4.29.0

🔴Vulnerability Details

3
GHSA
ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API2026-04-16
VulDB
apostrophe up to 4.28.x piece-type checks authorization (GHSA-xhq9-58fw-859p)2026-04-16
CVEList
ApostropheCMS: publicApiProjection Bypass via `project` Query Builder in Piece-Type REST API2026-04-15
CVE-2026-33888 — Sensitive Information Exposure | cvebase