CVE-2026-32730
Received Received - Intake
Authentication Bypass in ApostropheCMS via Incomplete MFA Verification

Publication date: 2026-03-18

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens β€” where the password was verified but TOTP/MFA requirements were NOT β€” to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32730
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms apostrophecms to 4.28.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-305 The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in ApostropheCMS versions prior to 4.28.0 in the bearer token authentication middleware located in `@apostrophecms/express/index.js`. The issue is caused by an incorrect MongoDB query that allows incomplete login tokensβ€”where the password has been verified but the Time-based One-Time Password (TOTP) or Multi-Factor Authentication (MFA) requirements have not been fulfilledβ€”to be accepted as fully authenticated bearer tokens.

As a result, this flaw completely bypasses multi-factor authentication for any ApostropheCMS deployment that uses `@apostrophecms/login-totp` or any custom login requirement that runs after password verification. The vulnerability was fixed in version 4.28.0.

Impact Analysis

This vulnerability can have a severe impact because it allows attackers to bypass multi-factor authentication controls. An attacker who has obtained a valid password can use an incomplete login token to gain full authenticated access without completing the second factor of authentication.

This leads to a high risk of unauthorized access, potentially compromising the confidentiality, integrity, and availability of the ApostropheCMS deployment and its data.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade ApostropheCMS to version 4.28.0 or later, where the issue with bearer token authentication middleware has been fixed.

Ensure that any deployment using `@apostrophecms/login-totp` or custom `afterPasswordVerified` login requirements is updated to prevent bypassing multi-factor authentication.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32730. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart