cbcvebase.

Keystone-6 Core vulnerabilities

5 known vulnerabilities affecting keystone-6/core.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2MEDIUM2LOW1

Vulnerabilities

Page 1 of 1
CVE-2022-39382P3CRITICAL≥ 3.0.0, < 3.0.22022-11-03
CVE-2022-39382 [CRITICAL] CWE-74 @keystone-6/core's NODE_ENV defaults to development with esbuild @keystone-6/core's NODE_ENV defaults to development with esbuild ### Impact `@keystone-6/[email protected] || 3.0.1` users that use `NODE_ENV` in their own code (**not dependencies**) to trigger security-sensitive functionality in a production build are vulnerable to `NODE_ENV` being inlined to `"development"` for user code. If your dependencies use `NODE_ENV` to trigger particular behaviours (optimisati
ghsaosv
CVE-2022-39322P3CRITICAL≥ 2.2.0, < 2.3.12022-10-18
CVE-2022-39322 [CRITICAL] CWE-285 Field-level access-control bypass for multiselect field Field-level access-control bypass for multiselect field #### Impact `@keystone-6/[email protected] || 2.3.0` users who are using the `multiselect` field, and provided field-level access control - are vulnerable to their field-level access control not being used. List-level access control is **NOT** affected. Field-level access control for fields other than `multiselect` are **NOT** affected. Example, **you ar
ghsaosv
CVE-2023-40027P4MEDIUM≥ 0, < 5.5.12023-08-15
CVE-2023-40027 [MEDIUM] CWE-862 When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible ### Summary When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible, that is to say, no session is required for the query. This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly acces
ghsaosv
CVE-2026-33326P4MEDIUMCVSS 4.3≥ 0, < 6.5.22026-03-19
CVE-2026-33326 [MEDIUM] CWE-863 @keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany (CVE-2025-46720 incomplete fix) @keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany (CVE-2025-46720 incomplete fix) # Summary `{field}.isFilterable` access control can be bypassed in `findMany` queries by passing a `cursor`. This can be used to confirm the existence of records by protected field values. The fix for [CVE-2025-46720](https://github.com/keystonejs/keys
ghsaosv
CVE-2025-46720P4LOW≥ 0, < 6.5.02025-05-05
CVE-2025-46720 [LOW] CWE-200 Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields # Summary `{field}.isFilterable` access control can be bypassed in `update` and `delete` mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields. Specifically, when a mutat
ghsaosv
Keystone-6 Core vulnerabilities | cvebase