CVE-2026-33888

Exploit

EPSS 0.08%
Veröffentlicht 15.04.2026 19:25:46
Zuletzt bearbeitet 20.04.2026 17:04:34
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

ApostropheCMS: publicApiProjection Bypass via `project` Query Builder in Piece-Type REST API

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request, which is processed by applyBuildersSafely before the permission check, pre-populating the projection state and causing the publicApiProjection to be skipped entirely. This allows disclosure of any field on publicly queryable documents that the administrator explicitly restricted from the public API, such as internal notes, draft content, or metadata. Exploitation is trivial, requiring only appending query parameters to a public URL with no authentication. This issue has been fixed in version 4.29.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apostrophecms ≫ Apostrophecms Version < 4.29.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.237

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-xhq9-58fw-859p

Vendor Advisory

Exploit

Mitigation

https://github.com/apostrophecms/apostrophe/commit/00d472804bb622df36a761b6f2cf2b33b2d4ce80

Patch

https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-33888

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33888

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33888

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33888