CVE-2026-39857: Information Disclosure via Authorization Bypass in ApostropheCMS REST API
Vulnerability ID: CVE-2026-39857
CVSS Score: 5.3
Published: 2026-04-16
ApostropheCMS versions 4.28.0 and prior contain an authorization bypass vulnerability in the REST API's 'choices' and 'counts' query builders. These parameters execute MongoDB aggregation operations that bypass configured public API projections, permitting unauthenticated attackers to extract distinct values for restricted schema fields.
TL;DR
Unauthenticated attackers can bypass API projections in ApostropheCMS <= 4.28.0 using the 'choices' and 'counts' parameters to exfiltrate restricted field data.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-863
- Attack Vector: Network
- CVSS v3.1: 5.3
- EPSS Score: 0.00037
- Impact: Confidentiality (Low)
- Exploitation Status: PoC Available
- CISA KEV: No
Affected Systems
- ApostropheCMS <= 4.28.0
- Node.js Applications using ApostropheCMS
-
ApostropheCMS: <= 4.28.0 (Fixed in:
4.29.0)
Code Analysis
Commit: 6c2b548
Fix: Apply projection and viewPermission checks to distinct() queries for choices and counts endpoints
Exploit Details
- GitHub Advisory: PoC exists within the official fix commit test cases.
Mitigation Strategies
- Upgrade application core components to the latest stable release.
- Implement strict Web Application Firewall (WAF) rules to filter specific query parameters.
- Audit public API endpoint projections and explicit field exclusion configurations.
Remediation Steps:
- Verify current ApostropheCMS version via package.json.
- Execute package manager update to install ApostropheCMS >= 4.29.0.
- Review and test piece and page type schemas for correct publicApiProjection syntax.
- Deploy WAF rules blocking 'choices' and 'counts' parameters on REST endpoints if patching is delayed.
References
- GitHub Advisory (GHSA-c276-fj82-f2pq)
- Official Fix Commit (6c2b548)
- NVD CVE-2026-39857 Detail
- ApostropheCMS Official Site
Read the full report for CVE-2026-39857 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)