CVE-2026-33888
Authorization Bypass in ApostropheCMS Piece-Type Module Allows Data Disclosure
Publication date: 2026-04-15
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apostrophecms | apostrophecms | to 4.29.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in ApostropheCMS versions 4.28.0 and earlier, specifically in the getRestQuery method of the @apostrophecms/piece-type module. The method is supposed to apply an admin-configured publicApiProjection to restrict which fields are visible via the public API. However, if an unauthenticated attacker supplies a project query parameter in a REST API request, it is processed before the permission check, causing the publicApiProjection to be skipped. This allows the attacker to bypass authorization and access any field on publicly queryable documents that should have been restricted, such as internal notes, draft content, or metadata.
Exploitation is simple and requires no authentication; an attacker only needs to append specific query parameters to a public URL.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information that administrators intended to keep private. Attackers can access restricted fields such as internal notes, draft content, or metadata without any authentication.
Because exploitation is trivial and requires only appending query parameters to a public URL, it increases the risk of data leakage and exposure of confidential or sensitive content.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in ApostropheCMS version 4.29.0. The immediate step to mitigate this vulnerability is to upgrade your ApostropheCMS installation to version 4.29.0 or later.
Since exploitation is trivial and requires no authentication, applying the update promptly is critical to prevent unauthorized disclosure of restricted fields.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to bypass field-level access controls and disclose sensitive fields such as internal notes, draft content, or metadata that administrators explicitly restricted from the public API.
Such unauthorized disclosure of sensitive or restricted data can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
Because exploitation is trivial and requires no authentication, this vulnerability increases the risk of data breaches, potentially violating confidentiality requirements mandated by these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring REST API requests to ApostropheCMS piece-type modules for the presence of the `project` query parameter in unauthenticated requests.
Specifically, an attacker exploits the vulnerability by appending query parameters like `?project[internalNotes]=1` to public API URLs, which causes unauthorized disclosure of restricted fields.
To detect exploitation attempts or verify if your system is vulnerable, you can search your web server or application logs for REST API requests containing the `project` query parameter targeting piece-type endpoints.
- Use command-line tools like `grep` or `awk` to filter logs for suspicious requests, for example:
- grep -i 'project\[' /path/to/access.log
- grep -E '\?project\[' /path/to/access.log
- Alternatively, use network monitoring tools or intrusion detection systems to alert on HTTP requests containing the `project` parameter in URLs to ApostropheCMS piece-type REST API endpoints.
Since exploitation requires no authentication and only involves appending query parameters, any such requests should be considered suspicious if your ApostropheCMS version is 4.28.0 or earlier and not patched.