CVE-2026-53609
Received Received - Intake
A prototype pollution in ApostropheCMS via $pullAll patch

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, `apos.util.set()` traverses dot-notation paths without sanitizing `__proto__`, allowing an authenticated editor to write arbitrary values to `Object.prototype` via the `$pullAll` patch operator. A confirmed gadget in `publicApiCheck()` causes this to bypass authorization on all piece-type REST API endpoints for every subsequent unauthenticated request, for the lifetime of the Node.js process. As of time of publication, no known patched versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-53609
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms apostrophe to 4.30.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in ApostropheCMS, an open-source Node.js content management system, in versions up to and including 4.30.0. The issue arises because the function apos.util.set() traverses dot-notation paths without sanitizing the __proto__ property. This allows an authenticated editor to write arbitrary values to Object.prototype using the $pullAll patch operator.

A confirmed gadget in the publicApiCheck() function causes this to bypass authorization on all piece-type REST API endpoints for every subsequent unauthenticated request, for the lifetime of the Node.js process.

No patched versions are known to be available at the time of publication.

Impact Analysis

This vulnerability can have severe impacts because it allows an authenticated editor to modify the Object.prototype, which can lead to unauthorized access.

Due to the bypass of authorization in the publicApiCheck() function, any subsequent unauthenticated requests can access all piece-type REST API endpoints without restriction for the lifetime of the Node.js process.

This can lead to a complete compromise of the application's data confidentiality, integrity, and availability.

Mitigation Strategies

As of the time of publication, no known patched versions of ApostropheCMS are available to fix this vulnerability.

Immediate mitigation steps include restricting access to authenticated editor accounts to trusted users only, monitoring and limiting unauthenticated REST API requests, and considering temporary disabling or restricting piece-type REST API endpoints if possible.

Additionally, closely monitor official ApostropheCMS channels for any forthcoming patches or updates addressing this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53609. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart