CVE-2026-53609: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in apostrophecms apostrophe
ApostropheCMS versions up to and including 4.30.0 contain a prototype pollution vulnerability in the apos.util.set() function. This allows an authenticated editor to modify Object.prototype via the $pullAll patch operator. The vulnerability enables bypassing authorization on all piece-type REST API endpoints for all subsequent unauthenticated requests during the Node.js process lifetime. No patched versions are currently available.
AI Analysis
Technical Summary
CVE-2026-53609 is a prototype pollution vulnerability in ApostropheCMS (apostrophe) affecting versions up to and including 4.30.0. The function apos.util.set() improperly traverses dot-notation paths without sanitizing the __proto__ property, allowing an authenticated editor to write arbitrary values to Object.prototype using the $pullAll patch operator. This leads to a confirmed gadget in publicApiCheck() that bypasses authorization on all piece-type REST API endpoints for any unauthenticated requests thereafter, persisting for the lifetime of the Node.js process. No official fix or patch is available at the time of publication.
Potential Impact
An authenticated editor can exploit this vulnerability to perform prototype pollution, which results in bypassing authorization controls on all piece-type REST API endpoints for subsequent unauthenticated requests. This compromises confidentiality, integrity, and availability of the affected system, as unauthorized access and partial control over API endpoints is possible. The vulnerability has a high CVSS score of 9.1, indicating critical severity.
Mitigation Recommendations
As of the time of this report, no official patch or fix is available for this vulnerability. Users should monitor the vendor's advisories for updates. Until a fix is released, limit editor privileges to trusted users only and consider additional access controls or network-level restrictions to reduce exposure. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-53609: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in apostrophecms apostrophe
Description
ApostropheCMS versions up to and including 4.30.0 contain a prototype pollution vulnerability in the apos.util.set() function. This allows an authenticated editor to modify Object.prototype via the $pullAll patch operator. The vulnerability enables bypassing authorization on all piece-type REST API endpoints for all subsequent unauthenticated requests during the Node.js process lifetime. No patched versions are currently available.
CVSS v3.1
Score 9.1critical
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-53609 is a prototype pollution vulnerability in ApostropheCMS (apostrophe) affecting versions up to and including 4.30.0. The function apos.util.set() improperly traverses dot-notation paths without sanitizing the __proto__ property, allowing an authenticated editor to write arbitrary values to Object.prototype using the $pullAll patch operator. This leads to a confirmed gadget in publicApiCheck() that bypasses authorization on all piece-type REST API endpoints for any unauthenticated requests thereafter, persisting for the lifetime of the Node.js process. No official fix or patch is available at the time of publication.
Potential Impact
An authenticated editor can exploit this vulnerability to perform prototype pollution, which results in bypassing authorization controls on all piece-type REST API endpoints for subsequent unauthenticated requests. This compromises confidentiality, integrity, and availability of the affected system, as unauthorized access and partial control over API endpoints is possible. The vulnerability has a high CVSS score of 9.1, indicating critical severity.
Mitigation Recommendations
As of the time of this report, no official patch or fix is available for this vulnerability. Users should monitor the vendor's advisories for updates. Until a fix is released, limit editor privileges to trusted users only and consider additional access controls or network-level restrictions to reduce exposure. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-09T19:39:52.404Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2c7c93e617e2d834c6c826
Added to database: 6/12/2026, 9:39:31 PM
Last enriched: 6/12/2026, 9:54:17 PM
Last updated: 6/12/2026, 10:49:33 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.