CVE-2026-33888 Overview
ApostropheCMS, a popular open-source Node.js content management system, contains an authorization bypass vulnerability in versions 4.28.0 and prior. The flaw exists in the getRestQuery method of the @apostrophecms/piece-type module, where improper handling of MongoDB projection states allows attackers to bypass admin-configured publicApiProjection restrictions. This enables unauthorized disclosure of restricted document fields through the public REST API.
Critical Impact
Unauthenticated attackers can bypass access controls to expose sensitive document fields such as internal notes, draft content, and metadata that administrators explicitly restricted from public API access.
Affected Products
- ApostropheCMS versions 4.28.0 and prior
- Node.js applications using the @apostrophecms/piece-type module
- Websites and applications with publicly queryable document collections
Discovery Timeline
- 2026-04-15 - CVE-2026-33888 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-33888
Vulnerability Analysis
This authorization bypass vulnerability (CWE-200: Information Exposure) affects the core query handling mechanism in ApostropheCMS. The vulnerability stems from a race condition in how MongoDB projections are processed within the REST API request lifecycle.
When a user submits a REST API request, the getRestQuery method is responsible for applying administrator-defined field restrictions through the publicApiProjection configuration. However, the method's implementation contains a critical flaw: it checks whether a MongoDB projection has already been set before applying security restrictions.
The impact allows disclosure of any field on publicly queryable documents that administrators explicitly restricted from the public API. This could include sensitive internal notes, draft content, metadata, or other confidential information that should not be accessible through public endpoints.
Root Cause
The root cause lies in the order of operations within the getRestQuery method. The applyBuildersSafely function processes user-supplied query parameters, including the project parameter, before the permission check occurs. This pre-populates the projection state in the MongoDB query builder.
When the authorization logic subsequently checks whether a projection has already been set, it finds one present (the attacker-supplied projection) and skips applying the publicApiProjection entirely. This creates a window where user-controlled input can override security configurations.
Attack Vector
The attack is trivial to execute and requires no authentication. An attacker simply appends a project query parameter to any public REST API URL that queries documents. By specifying fields that should be restricted, the attacker can retrieve sensitive data that the publicApiProjection was designed to hide.
For example, if an administrator configured the public API to only expose title and slug fields while hiding internalNotes and draftStatus, an attacker could bypass this restriction by including those field names in the project parameter. The vulnerability affects any publicly queryable piece type that relies on publicApiProjection for access control.
The attack can be performed directly from a web browser by modifying URL parameters, making it accessible to low-skilled attackers with no specialized tooling required.
Detection Methods for CVE-2026-33888
Indicators of Compromise
- Unusual REST API requests containing project query parameters with field names not in the publicApiProjection configuration
- API responses returning fields that should be restricted according to piece-type configurations
- Increased volume of API requests from unauthenticated sources targeting piece-type endpoints
- Log entries showing queries for sensitive field names like internalNotes, draft, or custom metadata fields
Detection Strategies
- Monitor web server access logs for REST API requests containing suspicious project parameters
- Implement application-level logging to track when non-public fields are requested
- Review API response sizes for anomalies that may indicate additional field exposure
- Configure WAF rules to alert on project parameters in public API endpoints
Monitoring Recommendations
- Enable detailed request logging for all ApostropheCMS REST API endpoints
- Set up alerts for API requests containing projection-related query parameters
- Audit existing publicApiProjection configurations across all piece types
- Monitor for reconnaissance patterns such as enumeration of field names
How to Mitigate CVE-2026-33888
Immediate Actions Required
- Upgrade ApostropheCMS to version 4.29.0 or later immediately
- Review all piece-type configurations that use publicApiProjection settings
- Audit logs for potential prior exploitation attempts
- Consider temporarily restricting public API access until patching is complete
Patch Information
ApostropheCMS has addressed this vulnerability in version 4.29.0. The fix ensures that the publicApiProjection is applied correctly regardless of user-supplied projection parameters. Security patches are available through the official GitHub repository:
- Commit 00d47280 - Initial security fix
- Commit 6c2b548d - Additional hardening
For complete details, refer to the GitHub Security Advisory GHSA-xhq9-58fw-859p.
Workarounds
- Implement a reverse proxy or WAF rule to strip or block project query parameters from incoming REST API requests
- Disable public REST API access for piece types containing sensitive fields until the patch can be applied
- Use network-level access controls to restrict API access to trusted IP addresses
- Review and temporarily remove sensitive data from publicly queryable document collections
# Example NGINX configuration to block project parameter
location /api/v1/ {
if ($args ~* "project=") {
return 403;
}
proxy_pass http://localhost:3000;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
