CVE-2026-39857
published 2026-04-15CVE-2026-39857: ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and…
PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.43%
34.8th percentile
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct() operations that bypass the publicApiProjection restrictions intended to limit which fields are exposed publicly. The choices and counts parameters are processed via applyBuildersSafely before the projection is applied, and MongoDB's distinct operation does not respect projections, returning all distinct values directly. The results are returned in the API response without any filtering against publicApiProjection or removeForbiddenFields. An unauthenticated attacker can extract all distinct field values for any schema field type that has a registered query builder, including string, integer, float, select, boolean, date, slug, and relationship fields. Fields protected with viewPermission are similarly exposed, and the counts variant additionally reveals how many documents have each distinct value. Both the piece-type and page REST APIs are affected. This issue has been fixed in version 4.29.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apostrophecms | apostrophe | < 4.29.0 | 4.29.0 |
| apostrophecms | apostrophe | >= 0 < 4.29.0 | 4.29.0 |
| apostrophecms | apostrophecms | < 4.29.0 | 4.29.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions
ghsa·2026-04-16
CVE-2026-39857 [MEDIUM] CWE-200 ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions
ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions
## Summary
The `choices` and `counts` query parameters in the Apostrophe CMS REST API allow unauthenticated users to extract distinct field values for any schema field that has a registered query builder, completely bypassing `publicApiProjection` restrictions that are intended to limit which fields are exposed publicly. Fields protected by `viewPermission` are similarly exposed.
## Details
When a piece type configures `publicApiProjection` to enable public API access while restricting visible fields, the restriction is enforced via a MongoDB projection on the main query (piece-type/index.js:1130-1134). However, the `choices` and `counts` query builders bypass this
VulDB
apostrophe up to 4.28.x REST API distinct information disclosure (GHSA-c276-fj82-f2pq)
vuldb·2026-04-16·CVSS 5.3
CVE-2026-39857 [MEDIUM] apostrophe up to 4.28.x REST API distinct information disclosure (GHSA-c276-fj82-f2pq)
A vulnerability marked as problematic has been reported in apostrophe up to 4.28.x. The impacted element is the function distinct of the component REST API. Performing a manipulation results in information disclosure.
This vulnerability is reported as CVE-2026-39857. The attack is possible to be carried out remotely. No exploit exists.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-15
Published