CVE-2026-39857
Authorization Bypass in ApostropheCMS REST API Exposes Data
Publication date: 2026-04-15
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apostrophecms | apostrophecms | to 4.29.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39857 is an authorization bypass vulnerability in ApostropheCMS versions 4.28.0 and prior. It affects the REST API's choices and counts query parameters, which use MongoDB's distinct() operation to retrieve distinct values of schema fields. These operations bypass the publicApiProjection restrictions and viewPermission protections intended to limit which fields are exposed publicly. Because MongoDB's distinct operation ignores projections, the API returns all distinct values for any schema field with a registered query builder, including those that should be hidden or protected.
An unauthenticated attacker can exploit this flaw to extract distinct values of any field type, including string, integer, float, select, boolean, date, slug, and relationship fields. The counts parameter also reveals how many documents have each distinct value. Both piece-type and page REST APIs are affected. The vulnerability was fixed in version 4.29.0 by adding checks that enforce projection-based and permission-based filtering before returning distinct values.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to bypass field-level access controls and extract sensitive or restricted data from ApostropheCMS instances. Attackers can obtain distinct values of any schema field, including those protected by permissions or excluded from public API projections.
- Exposure of sensitive internal data such as status values, priority levels, internal notes, or restricted content metadata.
- Leakage of statistical information about document counts for distinct field values.
- Potential information disclosure to unauthorized users without any authentication or privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring API requests to the ApostropheCMS REST API that include the query parameters `choices` or `counts`. An unauthenticated attacker may attempt to access distinct values of schema fields by sending requests with these parameters.
To detect exploitation attempts, you can look for HTTP requests to the API endpoints with query strings such as `?choices=fieldName` or `?counts=fieldName` where `fieldName` is any schema field.
Example commands using curl to test if the vulnerability exists on your system:
- curl -X GET "https://your-apostrophecms-site/api/v1/pieces/your-piece-type?choices=status"
- curl -X GET "https://your-apostrophecms-site/api/v1/pieces/your-piece-type?counts=priority"
If these requests return distinct values for fields that should be restricted or protected by permissions, it indicates the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ApostropheCMS to version 4.29.0 or later, where this vulnerability has been fixed.
The fix enforces filtering of distinct values returned by the `choices` and `counts` query builders based on the `publicApiProjection` and `viewPermission` restrictions, preventing unauthorized data exposure.
If upgrading immediately is not possible, consider restricting or disabling public access to the REST API endpoints that accept `choices` and `counts` query parameters to prevent unauthenticated users from exploiting this issue.
Additionally, monitor API logs for suspicious requests containing these parameters and block or rate-limit such requests as a temporary protective measure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in ApostropheCMS allows unauthenticated attackers to bypass field-level access controls and extract distinct values of any schema field, including those protected by permissions or excluded from public API projections.
This unauthorized exposure of potentially sensitive or restricted data fields can lead to leakage of internal or confidential information such as status values, priority levels, internal notes, or restricted content metadata.
Such data leakage risks violating data protection regulations and standards like GDPR or HIPAA, which require strict controls on unauthorized access to personal or sensitive information.
By exposing data without proper authorization, the vulnerability undermines compliance with these regulations' requirements for confidentiality, data minimization, and access control.