CVE-2026-33888: CWE-863: Incorrect Authorization in apostrophecms apostrophe
ApostropheCMS versions 4. 28. 0 and earlier have an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module. This flaw allows unauthenticated attackers to bypass admin-configured public API field restrictions by manipulating the project query parameter, leading to unauthorized disclosure of restricted document fields. The issue is fixed in version 4. 29. 0.
AI Analysis
Technical Summary
CVE-2026-33888 is an authorization bypass vulnerability in ApostropheCMS (Node.js CMS) versions prior to 4.29.0. The vulnerability exists in the getRestQuery method where the system checks if a MongoDB projection is set before applying the admin-configured publicApiProjection. An attacker can supply a crafted project query parameter in a REST API request, which is processed before the permission check, causing the publicApiProjection to be skipped. This allows disclosure of any fields that administrators intended to restrict from public API access, such as internal notes or draft content. Exploitation requires no authentication and is trivial by appending query parameters to public URLs. The vulnerability is tracked under CWE-863 (Incorrect Authorization) and CWE-200 (Information Exposure).
Potential Impact
An unauthenticated attacker can bypass authorization controls to access restricted fields in publicly queryable documents via the REST API. This leads to unauthorized disclosure of sensitive information such as internal notes, draft content, or metadata that administrators intended to keep private. There is no impact on integrity or availability reported.
Mitigation Recommendations
This vulnerability is fixed in ApostropheCMS version 4.29.0. Users should upgrade to version 4.29.0 or later to remediate this issue. Since this is not a cloud service, patching the affected software is required. Patch status is confirmed by the vendor's versioning information. No additional mitigations are indicated.
CVE-2026-33888: CWE-863: Incorrect Authorization in apostrophecms apostrophe
Description
ApostropheCMS versions 4. 28. 0 and earlier have an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module. This flaw allows unauthenticated attackers to bypass admin-configured public API field restrictions by manipulating the project query parameter, leading to unauthorized disclosure of restricted document fields. The issue is fixed in version 4. 29. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33888 is an authorization bypass vulnerability in ApostropheCMS (Node.js CMS) versions prior to 4.29.0. The vulnerability exists in the getRestQuery method where the system checks if a MongoDB projection is set before applying the admin-configured publicApiProjection. An attacker can supply a crafted project query parameter in a REST API request, which is processed before the permission check, causing the publicApiProjection to be skipped. This allows disclosure of any fields that administrators intended to restrict from public API access, such as internal notes or draft content. Exploitation requires no authentication and is trivial by appending query parameters to public URLs. The vulnerability is tracked under CWE-863 (Incorrect Authorization) and CWE-200 (Information Exposure).
Potential Impact
An unauthenticated attacker can bypass authorization controls to access restricted fields in publicly queryable documents via the REST API. This leads to unauthorized disclosure of sensitive information such as internal notes, draft content, or metadata that administrators intended to keep private. There is no impact on integrity or availability reported.
Mitigation Recommendations
This vulnerability is fixed in ApostropheCMS version 4.29.0. Users should upgrade to version 4.29.0 or later to remediate this issue. Since this is not a cloud service, patching the affected software is required. Patch status is confirmed by the vendor's versioning information. No additional mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T15:10:05.681Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dfeeb382d89c981f942274
Added to database: 4/15/2026, 8:01:55 PM
Last enriched: 4/15/2026, 8:17:07 PM
Last updated: 4/15/2026, 9:03:11 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.