CVE-2026-53609
Deferred Deferred - Pending Action

A prototype pollution in ApostropheCMS via $pullAll patch

Vulnerability report for CVE-2026-53609, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, `apos.util.set()` traverses dot-notation paths without sanitizing `__proto__`, allowing an authenticated editor to write arbitrary values to `Object.prototype` via the `$pullAll` patch operator. A confirmed gadget in `publicApiCheck()` causes this to bypass authorization on all piece-type REST API endpoints for every subsequent unauthenticated request, for the lifetime of the Node.js process. As of time of publication, no known patched versions are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-15
Generated
2026-07-03
AI Q&A
2026-06-13
EPSS Evaluated
2026-07-02
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms apostrophe to 4.30.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in ApostropheCMS, an open-source Node.js content management system, in versions up to and including 4.30.0. The issue arises because the function apos.util.set() traverses dot-notation paths without sanitizing the __proto__ property. This allows an authenticated editor to write arbitrary values to Object.prototype using the $pullAll patch operator.

A confirmed gadget in the publicApiCheck() function causes this to bypass authorization on all piece-type REST API endpoints for every subsequent unauthenticated request, for the lifetime of the Node.js process.

No patched versions are known to be available at the time of publication.

Impact Analysis

This vulnerability can have severe impacts because it allows an authenticated editor to modify the Object.prototype, which can lead to unauthorized access.

Due to the bypass of authorization in the publicApiCheck() function, any subsequent unauthenticated requests can access all piece-type REST API endpoints without restriction for the lifetime of the Node.js process.

This can lead to a complete compromise of the application's data confidentiality, integrity, and availability.

Mitigation Strategies

As of the time of publication, no known patched versions of ApostropheCMS are available to fix this vulnerability.

Immediate mitigation steps include restricting access to authenticated editor accounts to trusted users only, monitoring and limiting unauthenticated REST API requests, and considering temporary disabling or restricting piece-type REST API endpoints if possible.

Additionally, closely monitor official ApostropheCMS channels for any forthcoming patches or updates addressing this issue.

Compliance Impact

This vulnerability allows an authenticated editor to write arbitrary values to Object.prototype and bypass authorization on all piece-type REST API endpoints for every subsequent unauthenticated request during the lifetime of the Node.js process.

Such unauthorized access and potential data manipulation could lead to breaches of confidentiality, integrity, and availability of data managed by ApostropheCMS.

Consequently, this could impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on data access and protection against unauthorized data modification or disclosure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53609. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart