{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32730", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T15:02:00.626Z", "datePublished": "2026-03-18T22:00:14.612Z", "dateUpdated": "2026-03-19T16:12:15.179Z"}, "containers": {"cna": {"title": "ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-305", "lang": "en", "description": "CWE-305: Authentication Bypass by Primary Weakness", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-v9xm-ffx2-7h35", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-v9xm-ffx2-7h35"}], "affected": [{"vendor": "apostrophecms", "product": "apostrophe", "versions": [{"version": "< 4.28.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T22:00:14.612Z"}, "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens \u2014 where the password was verified but TOTP/MFA requirements were NOT \u2014 to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue."}], "source": {"advisory": "GHSA-v9xm-ffx2-7h35", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T16:12:00.481300Z", "id": "CVE-2026-32730", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T16:12:15.179Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32730", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-19T16:12:00.481300Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T16:12:06.803Z"}}], "cna": {"title": "ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware", "source": {"advisory": "GHSA-v9xm-ffx2-7h35", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "apostrophecms", "product": "apostrophe", "versions": [{"status": "affected", "version": "< 4.28.0"}]}], "references": [{"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-v9xm-ffx2-7h35", "name": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-v9xm-ffx2-7h35", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens \u2014 where the password was verified but TOTP/MFA requirements were NOT \u2014 to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-305", "description": "CWE-305: Authentication Bypass by Primary Weakness"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T22:00:14.612Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32730", "state": "PUBLISHED", "dateUpdated": "2026-03-19T16:12:15.179Z", "dateReserved": "2026-03-13T15:02:00.626Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T22:00:14.612Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apostrophecms:apostrophecms:*:*:*:*:*:*:*:*", "matchCriteriaId": "01CB37B4-4FF5-4E4D-97B7-AB8E66630F97", "versionEndExcluding": "4.28.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens \u2014 where the password was verified but TOTP/MFA requirements were NOT \u2014 to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue."}, {"lang": "es", "value": "ApostropheCMS es un framework de gesti\u00f3n de contenido de c\u00f3digo abierto. Antes de la versi\u00f3n 4.28.0, el middleware de autenticaci\u00f3n de token de portador en `@apostrophecms/express/index.js` (l\u00edneas 386-389) contiene una consulta de MongoDB incorrecta que permite que tokens de inicio de sesi\u00f3n incompletos \u2014 donde la contrase\u00f1a fue verificada pero los requisitos de TOTP/MFA NO lo fueron \u2014 sean usados como tokens de portador completamente autenticados. Esto omite completamente la autenticaci\u00f3n multifactor para cualquier despliegue de ApostropheCMS que use `@apostrophecms/login-totp` o cualquier requisito de inicio de sesi\u00f3n `afterPasswordVerified` personalizado. La versi\u00f3n 4.28.0 corrige el problema."}], "id": "CVE-2026-32730", "lastModified": "2026-03-24T21:34:09.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T23:17:29.370", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-v9xm-ffx2-7h35"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-305"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.28.0)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "apostrophe", "source": "cna", "vendor": "apostrophecms"}, "product": "apostrophecms", "vendor": "apostrophecms"}], "analysis": {"en": {"generated_at": "2026-03-24T22:30:24.960369+00:00", "value": {"mitigation_remediation": ["Upgrade ApostropheCMS to version 4.28.0 or later to apply the fix", "Verify that the @apostrophecms/login-totp module and any custom afterPasswordVerified logic are enabled and functioning after the upgrade", "If upgrading immediately is not feasible, block or monitor bearer token authentication until a patch is applied, and consider disabling unauthenticated token usage", "Review and tighten token validation logic in custom code to prevent acceptance of incomplete tokens", "Monitor authentication logs for unusual or repeated failed MFA attempts and investigate promptly"], "summary": {"action": "Immediate Patch", "impact": "MFA bypass leading to unauthorized access"}, "threat_synthesis": {"affected_systems": "The flaw affects ApostropheCMS deployments built with the open\u2011source framework up to version 4.27.x. Packages using the @apostrophecms/login\u2011totp module or any custom afterPasswordVerified login requirement are vulnerable. The update delivered in version 4.28.0 corrects the query and restores MFA enforcement.", "description_and_impact": "The vulnerability arises from an incorrect MongoDB query in the bearer token authentication middleware. Tokens that have a valid password but do not satisfy the Time\u2011Based One\u2011Time Password (TOTP) or other multi\u2011factor authentication (MFA) requirement are mistakenly accepted as fully authenticated. Consequently an attacker who obtains or crafts such an incomplete token can gain full access to the site with the privileges of the account whose credentials were used, bypassing all MFA enforcement. This enables unauthorized read, write or administrative operations, compromising confidentiality, integrity, and availability of the CMS content and configuration.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity vulnerability. The EPSS score is less than 1\u202f%, suggesting that, while highly impactful, the probability of large\u2011scale exploitation currently appears low, and the issue has not yet entered the CISA Known Exploited Vulnerabilities catalog. An attacker can exploit the flaw remotely by presenting a bearer token that passes password verification but fails MFA checks, and no additional credentials or local access are required. The attack vector is therefore remote. Because the weakness resides in the server\u2011side authentication logic, a successful exploit immediately grants full administrative access to the application."}}}}, "created": "2026-03-19T08:55:14.080611+00:00", "updated": "2026-03-25T11:51:57.114458+00:00", "vendors": ["apostrophecms", "apostrophecms$PRODUCT$apostrophecms"]}