{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39857", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T19:13:20.379Z", "datePublished": "2026-04-15T19:38:57.564Z", "dateUpdated": "2026-04-16T13:40:17.710Z"}, "containers": {"cna": {"title": "Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field Restrictions", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq"}, {"name": "https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa", "tags": ["x_refsource_MISC"], "url": "https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa"}], "affected": [{"vendor": "apostrophecms", "product": "apostrophe", "versions": [{"version": "< 4.29.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T19:38:57.564Z"}, "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct() operations that bypass the publicApiProjection restrictions intended to limit which fields are exposed publicly. The choices and counts parameters are processed via applyBuildersSafely before the projection is applied, and MongoDB's distinct operation does not respect projections, returning all distinct values directly. The results are returned in the API response without any filtering against publicApiProjection or removeForbiddenFields. An unauthenticated attacker can extract all distinct field values for any schema field type that has a registered query builder, including string, integer, float, select, boolean, date, slug, and relationship fields. Fields protected with viewPermission are similarly exposed, and the counts variant additionally reveals how many documents have each distinct value. Both the piece-type and page REST APIs are affected. This issue has been fixed in version 4.29.0."}], "source": {"advisory": "GHSA-c276-fj82-f2pq", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T13:40:14.273773Z", "id": "CVE-2026-39857", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:40:17.710Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39857", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T13:40:14.273773Z"}}}], "references": [{"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:40:08.605Z"}}], "cna": {"title": "Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field Restrictions", "source": {"advisory": "GHSA-c276-fj82-f2pq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "apostrophecms", "product": "apostrophe", "versions": [{"status": "affected", "version": "< 4.29.0"}]}], "references": [{"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq", "name": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa", "name": "https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct() operations that bypass the publicApiProjection restrictions intended to limit which fields are exposed publicly. The choices and counts parameters are processed via applyBuildersSafely before the projection is applied, and MongoDB's distinct operation does not respect projections, returning all distinct values directly. The results are returned in the API response without any filtering against publicApiProjection or removeForbiddenFields. An unauthenticated attacker can extract all distinct field values for any schema field type that has a registered query builder, including string, integer, float, select, boolean, date, slug, and relationship fields. Fields protected with viewPermission are similarly exposed, and the counts variant additionally reveals how many documents have each distinct value. Both the piece-type and page REST APIs are affected. This issue has been fixed in version 4.29.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T19:38:57.564Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39857", "state": "PUBLISHED", "dateUpdated": "2026-04-16T13:40:17.710Z", "dateReserved": "2026-04-07T19:13:20.379Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-15T19:38:57.564Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apostrophecms:apostrophecms:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CFAFBDF-2EB1-404B-B370-8C510FC289AE", "versionEndExcluding": "4.29.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct() operations that bypass the publicApiProjection restrictions intended to limit which fields are exposed publicly. The choices and counts parameters are processed via applyBuildersSafely before the projection is applied, and MongoDB's distinct operation does not respect projections, returning all distinct values directly. The results are returned in the API response without any filtering against publicApiProjection or removeForbiddenFields. An unauthenticated attacker can extract all distinct field values for any schema field type that has a registered query builder, including string, integer, float, select, boolean, date, slug, and relationship fields. Fields protected with viewPermission are similarly exposed, and the counts variant additionally reveals how many documents have each distinct value. Both the piece-type and page REST APIs are affected. This issue has been fixed in version 4.29.0."}], "id": "CVE-2026-39857", "lastModified": "2026-04-20T17:03:00.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T20:16:36.567", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.29.0)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "apostrophe", "source": "cna", "vendor": "apostrophecms"}, "product": "apostrophecms", "vendor": "apostrophecms"}], "analysis": {"en": {"generated_at": "2026-04-15T21:52:42.917748+00:00", "value": {"mitigation_remediation": ["Upgrade immediately to ApostropheCMS version 4.29.0 or later, which implements correct projection enforcement.", "If upgrade is delayed, restrict or remove the choices and counts query parameters from the REST API by configuring the system to disallow these builders or by adding middleware that validates and blocks unauthorized access to them.", "Verify that publicApiProjection and removeForbiddenFields are correctly configured to limit exposed fields, and audit the list of fields that are registered with query builders."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Impact extends to all ApostropheCMS installations employing version 4.28.0 or earlier, covering both piece-type and page REST APIs. The vulnerability is resolved in version 4.29.0, which properly applies projection rules before executing distinct queries. Therefore, any deployment using the enumerated vulnerable versions is susceptible until upgraded or otherwise mitigated.", "description_and_impact": "ApostropheCMS (a Node.js content management system) contains an authorization bypass vulnerability in the REST API's choices and counts query parameters. The vulnerability arises because these query builders invoke MongoDB's distinct() operation before the publicApiProjection restrictions are applied. As distinct() ignores projections, an unauthenticated attacker can retrieve all distinct values for any schema field that supports a query builder, including string, integer, float, select, boolean, date, slug, and relationship fields. The results bypass both publicApiProjection and removeForbiddenFields, exposing protected data and, in the case of counts, revealing how many documents hold each value. This results in a direct information disclosure that compromises confidentiality for any exposed fields.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score is unavailable, so the current exploitation probability is unknown but potentially significant due to the ability to reach the vulnerable endpoint without authentication. Since the vulnerability is not listed in the CISA KEV database, there is no public record of exploitation yet; however, the lack of access controls on the affected query parameters constitutes an obvious attack vector for attackers seeking sensitive data. The risk grows with the number of publicly exposed API endpoints and the amount of sensitive fields registered for query building."}}}}, "created": "2026-04-15T22:00:06.617814+00:00", "updated": "2026-04-16T09:00:05.125354+00:00", "vendors": ["apostrophecms", "apostrophecms$PRODUCT$apostrophecms"]}