KeystoneJS is a popular Node.js-based content management system that provides flexible APIs for querying and managing data. Prior to version 6.5.2, KeystoneJS contained an authorization vulnerability identified as CVE-2026-33326 (CWE-863: Incorrect Authorization). The vulnerability specifically affects the findMany query operation when using the cursor parameter. The cursor parameter accepts a UniqueWhere input type, which was not properly validated for access control, unlike the where parameter that was patched in response to a previous vulnerability (CVE-2025-46720). This oversight allows an attacker with at least limited privileges (PR:L) to bypass the isFilterable access control on certain fields by passing a crafted cursor value. Consequently, attackers can confirm the existence of records containing protected field values, potentially leaking sensitive information. The vulnerability does not allow modification or deletion of data, nor does it impact availability, but it compromises confidentiality by exposing protected data existence. The CVSS v3.1 base score is 4.3 (medium severity), reflecting network attack vector, low attack complexity, required privileges, and no user interaction. The issue was addressed in KeystoneJS version 6.5.2 by adding proper authorization checks on the cursor parameter in findMany queries, aligning it with protections on other query parameters.

This vulnerability primarily impacts the confidentiality of data managed by KeystoneJS instances running versions prior to 6.5.2. Attackers with limited privileges can confirm the existence of records with protected field values, which may aid in reconnaissance and facilitate further targeted attacks or data leakage. While it does not allow direct data modification or deletion, the ability to infer sensitive information can be critical in environments where data privacy is paramount, such as healthcare, finance, or personal data management. Organizations relying on KeystoneJS for content management or backend APIs may face compliance risks if sensitive data exposure occurs. The vulnerability's ease of exploitation over the network and lack of required user interaction increase the risk, especially in multi-tenant or publicly accessible deployments. However, the absence of known exploits in the wild suggests limited active exploitation currently, though this may change post-disclosure. Overall, the impact is moderate but significant enough to warrant prompt remediation.

The primary mitigation is to upgrade all KeystoneJS instances to version 6.5.2 or later, where the cursor parameter authorization checks have been properly implemented. For organizations unable to upgrade immediately, it is recommended to implement strict access controls limiting who can perform findMany queries, especially those involving cursor parameters. Monitoring and logging query patterns that use cursor parameters can help detect suspicious activity indicative of exploitation attempts. Additionally, review and tighten field-level access control policies to minimize exposure of sensitive fields as filterable. Employ network segmentation and firewall rules to restrict access to KeystoneJS management interfaces to trusted users only. Regularly audit and test authorization mechanisms in KeystoneJS deployments to ensure no bypasses exist. Finally, stay informed on updates from KeystoneJS and related security advisories to promptly apply patches.