{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33888", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:10:05.681Z", "datePublished": "2026-04-15T19:25:46.262Z", "dateUpdated": "2026-04-15T20:03:30.594Z"}, "containers": {"cna": {"title": "ApostropheCMS: publicApiProjection Bypass via `project` Query Builder in Piece-Type REST API", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-xhq9-58fw-859p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-xhq9-58fw-859p"}, {"name": "https://github.com/apostrophecms/apostrophe/commit/00d472804bb622df36a761b6f2cf2b33b2d4ce80", "tags": ["x_refsource_MISC"], "url": "https://github.com/apostrophecms/apostrophe/commit/00d472804bb622df36a761b6f2cf2b33b2d4ce80"}, {"name": "https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa", "tags": ["x_refsource_MISC"], "url": "https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa"}], "affected": [{"vendor": "apostrophecms", "product": "apostrophe", "versions": [{"version": "< 4.29.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T19:25:46.262Z"}, "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request, which is processed by applyBuildersSafely before the permission check, pre-populating the projection state and causing the publicApiProjection to be skipped entirely. This allows disclosure of any field on publicly queryable documents that the administrator explicitly restricted from the public API, such as internal notes, draft content, or metadata. Exploitation is trivial, requiring only appending query parameters to a public URL with no authentication. This issue has been fixed in version 4.29.0."}], "source": {"advisory": "GHSA-xhq9-58fw-859p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T20:03:13.844941Z", "id": "CVE-2026-33888", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T20:03:30.594Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33888", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T20:03:13.844941Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T20:03:24.555Z"}}], "cna": {"title": "ApostropheCMS: publicApiProjection Bypass via `project` Query Builder in Piece-Type REST API", "source": {"advisory": "GHSA-xhq9-58fw-859p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "apostrophecms", "product": "apostrophe", "versions": [{"status": "affected", "version": "< 4.29.0"}]}], "references": [{"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-xhq9-58fw-859p", "name": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-xhq9-58fw-859p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/apostrophecms/apostrophe/commit/00d472804bb622df36a761b6f2cf2b33b2d4ce80", "name": "https://github.com/apostrophecms/apostrophe/commit/00d472804bb622df36a761b6f2cf2b33b2d4ce80", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa", "name": "https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request, which is processed by applyBuildersSafely before the permission check, pre-populating the projection state and causing the publicApiProjection to be skipped entirely. This allows disclosure of any field on publicly queryable documents that the administrator explicitly restricted from the public API, such as internal notes, draft content, or metadata. Exploitation is trivial, requiring only appending query parameters to a public URL with no authentication. This issue has been fixed in version 4.29.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T19:25:46.262Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33888", "state": "PUBLISHED", "dateUpdated": "2026-04-15T20:03:30.594Z", "dateReserved": "2026-03-24T15:10:05.681Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-15T19:25:46.262Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apostrophecms:apostrophecms:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CFAFBDF-2EB1-404B-B370-8C510FC289AE", "versionEndExcluding": "4.29.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request, which is processed by applyBuildersSafely before the permission check, pre-populating the projection state and causing the publicApiProjection to be skipped entirely. This allows disclosure of any field on publicly queryable documents that the administrator explicitly restricted from the public API, such as internal notes, draft content, or metadata. Exploitation is trivial, requiring only appending query parameters to a public URL with no authentication. This issue has been fixed in version 4.29.0."}], "id": "CVE-2026-33888", "lastModified": "2026-04-20T17:04:34.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T20:16:35.677", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/apostrophecms/apostrophe/commit/00d472804bb622df36a761b6f2cf2b33b2d4ce80"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-xhq9-58fw-859p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.29.0)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "apostrophe", "source": "cna", "vendor": "apostrophecms"}, "product": "apostrophecms", "vendor": "apostrophecms"}], "analysis": {"en": {"generated_at": "2026-04-15T21:54:24.500108+00:00", "value": {"mitigation_remediation": ["Apply the 4.29.0 or later ApostropheCMS update to eliminate the projection bypass", "Verify that the publicApiProjection setting is preserved in the updated configuration", "Review public API permissions and remove any sensitive fields from public queries"], "summary": {"action": "Patch Now", "impact": "Data confidentiality breach"}, "threat_synthesis": {"affected_systems": "ApostropheCMS, open\u2011source Node.js content\u2011management system, is affected. All releases up to and including 4.28.0 are vulnerable. The vulnerability was resolved in the 4.29.0 release. No specific edition or platform information is provided beyond the generic product name.", "description_and_impact": "ApostropheCMS versions 4.28.0 and earlier suffer an authorization bypass in the getRestQuery method of the @apostrophecms/piece-type module. The bug allows an unauthenticated attacker to supply a project query parameter that is processed before the system\u2019s publicApiProjection check, effectively disabling the admin\u2011configured projection safeguards. This flaw enables disclosure of fields that administrators have explicitly withheld from the public API, such as internal notes, draft content, or metadata. The weakness is a classic informational disclosure (CWE\u2011200) compounded by improper authorization checks (CWE\u2011863). Exploitation is trivial, requiring only an appended query string to a publicly reachable URL.", "risk_and_exploitability": "The CVSS score of 5.3 denotes a moderate severity, with the vulnerability enabling non\u2011authenticated data exposure. EPSS scoring is not available, so the empirical exploitation probability cannot be quantified from the data. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation reports. The likely attack vector is through any endpoint that accepts a project query parameter in the public REST API, as inferred from the description of the flaw. An attacker can construct a request that includes the project parameter, causing the system to skip the publicApiProjection and return private fields to an unauthenticated client."}}}}, "created": "2026-04-15T22:00:06.618634+00:00", "updated": "2026-04-16T09:00:05.126784+00:00", "vendors": ["apostrophecms", "apostrophecms$PRODUCT$apostrophecms"]}