{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33326", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T21:23:36.678Z", "datePublished": "2026-03-24T19:08:05.877Z", "dateUpdated": "2026-03-25T13:37:10.313Z"}, "containers": {"cna": {"title": "@keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/keystonejs/keystone/security/advisories/GHSA-cgcg-q9jh-5pr2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-cgcg-q9jh-5pr2"}], "affected": [{"vendor": "keystonejs", "product": "keystone", "versions": [{"version": "< 6.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:08:05.877Z"}, "descriptions": [{"lang": "en", "value": "Keystone is a content management system for Node.js. Prior to version 6.5.2, {field}.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 (field-level isFilterable bypass for update and delete mutations) added checks to the where parameter in update and delete mutations however the cursor parameter in findMany was not patched and accepts the same UniqueWhere input type. This issue has been patched in version 6.5.2."}], "source": {"advisory": "GHSA-cgcg-q9jh-5pr2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:37:00.557629Z", "id": "CVE-2026-33326", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:37:10.313Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "@keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany", "source": {"advisory": "GHSA-cgcg-q9jh-5pr2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "keystonejs", "product": "keystone", "versions": [{"status": "affected", "version": "< 6.5.2"}]}], "references": [{"url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-cgcg-q9jh-5pr2", "name": "https://github.com/keystonejs/keystone/security/advisories/GHSA-cgcg-q9jh-5pr2", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Keystone is a content management system for Node.js. Prior to version 6.5.2, {field}.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 (field-level isFilterable bypass for update and delete mutations) added checks to the where parameter in update and delete mutations however the cursor parameter in findMany was not patched and accepts the same UniqueWhere input type. This issue has been patched in version 6.5.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:08:05.877Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33326", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:37:00.557629Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-25T13:37:04.561Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33326", "state": "PUBLISHED", "dateUpdated": "2026-03-24T19:08:05.877Z", "dateReserved": "2026-03-18T21:23:36.678Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T19:08:05.877Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:keystonejs:keystone:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7115F298-5F71-4F46-ADD2-ED8159B278A5", "versionEndExcluding": "6.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Keystone is a content management system for Node.js. Prior to version 6.5.2, {field}.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 (field-level isFilterable bypass for update and delete mutations) added checks to the where parameter in update and delete mutations however the cursor parameter in findMany was not patched and accepts the same UniqueWhere input type. This issue has been patched in version 6.5.2."}, {"lang": "es", "value": "Keystone es un sistema de gesti\u00f3n de contenido para Node.js. Antes de la versi\u00f3n 6.5.2, el control de acceso {field}.isFilterable puede ser eludido en consultas findMany al pasar un cursor. Esto puede usarse para confirmar la existencia de registros mediante valores de campos protegidos. La correcci\u00f3n para CVE-2025-46720 (elusi\u00f3n de isFilterable a nivel de campo para mutaciones de actualizaci\u00f3n y eliminaci\u00f3n) a\u00f1adi\u00f3 comprobaciones al par\u00e1metro where en las mutaciones de actualizaci\u00f3n y eliminaci\u00f3n; sin embargo, el par\u00e1metro cursor en findMany no fue parcheado y acepta el mismo tipo de entrada UniqueWhere. Este problema ha sido parcheado en la versi\u00f3n 6.5.2."}], "id": "CVE-2026-33326", "lastModified": "2026-05-04T15:26:15.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-24T20:16:28.043", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-cgcg-q9jh-5pr2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.5.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "keystone", "source": "cna", "vendor": "keystonejs"}, "product": "keystone", "vendor": "keystonejs"}], "analysis": {"en": {"generated_at": "2026-03-24T20:22:33.470293+00:00", "value": {"mitigation_remediation": ["Upgrade Keystone to version 6.5.2 or newer. ", "If immediate upgrade is not possible, block or sanitize cursor parameters in findMany queries to enforce isFilterable checks. ", "After applying the patch or workaround, review access control configurations to confirm that protected fields remain inaccessible. ", "Monitor API traffic for patterns that resemble enumeration attempts through cursor usage."], "summary": {"action": "Apply Patch", "impact": "Authorization bypass enabling record enumeration via protected fields"}, "threat_synthesis": {"affected_systems": "The vulnerability affects keystonejs Keystone versions prior to 6.5.2. Any deployment of Keystone 6 using its default data layer can be impacted if findMany queries are exposed through an API endpoint. No other vendors or products are listed as affected.", "description_and_impact": "Keystone, a Node.js content management system, has a weakness where the isFilterable check on protected fields can be overridden in findMany queries when a cursor parameter is supplied. This oversight, classified as CWE-863, lets an attacker confirm the existence of records that match specific protected field values, effectively bypassing intended access controls without altering any data.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. While EPSS data is unavailable, the issue can be exploited over the network by an attacker who can send a properly crafted findMany request with a cursor argument. Successful exploitation would allow enumeration of protected data but does not provide direct code execution or privilege escalation."}}}}, "created": "2026-03-25T11:46:21.932138+00:00", "updated": "2026-03-25T20:57:47.491694+00:00", "vendors": ["keystonejs", "keystonejs$PRODUCT$keystone"]}