KeystoneJS, a Node.js content management system, suffered from an authorization bypass vulnerability identified as CVE-2026-33326. The vulnerability relates to the isFilterable access control on fields used in findMany queries. Specifically, prior to version 6.5.2, attackers could bypass the isFilterable restriction by passing a specially crafted cursor parameter, which accepts the same UniqueWhere input type as the where parameter. This allowed attackers to confirm the existence of records by querying protected field values, effectively leaking information that should have been restricted. The root cause was an incomplete fix for a prior vulnerability (CVE-2025-46720) that addressed similar bypasses in update and delete mutations but failed to patch the cursor parameter in findMany queries. The vulnerability requires an attacker to have some level of privileges (PR:L) but does not require user interaction (UI:N) and can be exploited remotely (AV:N). The CVSS v3.1 base score is 4.3, reflecting a medium severity due to limited impact on confidentiality and no impact on integrity or availability. The issue was publicly disclosed and patched in KeystoneJS version 6.5.2, with no known exploits in the wild reported at the time of publication.

The primary impact of this vulnerability is unauthorized information disclosure. Attackers with limited privileges can leverage the cursor parameter in findMany queries to confirm the existence of records containing protected field values, potentially exposing sensitive or confidential data. While the vulnerability does not allow modification or deletion of data, the ability to enumerate protected records can aid in reconnaissance and facilitate further targeted attacks. Organizations using KeystoneJS in environments where sensitive data is managed may face increased risk of data leakage, which could lead to compliance violations, reputational damage, and loss of customer trust. Since the vulnerability requires some level of privilege, the risk is somewhat mitigated but remains significant in multi-tenant or shared environments where privilege boundaries are critical. The lack of known exploits suggests limited active exploitation, but the vulnerability's presence in widely used versions means many deployments could be affected if not patched.

To mitigate this vulnerability, organizations should upgrade all KeystoneJS installations to version 6.5.2 or later, where the issue has been fully patched. In addition to upgrading, administrators should audit access control policies to ensure that field-level permissions are correctly configured and enforced. Implementing strict privilege separation and minimizing user privileges can reduce the risk of exploitation. Monitoring and logging of findMany queries, especially those using cursor parameters, can help detect suspicious activity indicative of exploitation attempts. If immediate upgrading is not feasible, consider implementing network-level access controls to restrict access to KeystoneJS management interfaces and APIs to trusted users only. Regularly review and apply security advisories from KeystoneJS and related dependencies to stay ahead of emerging vulnerabilities.