Authorization Bypass Through User-Controlled Key Affecting apostrophe package, versions <4.29.0
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Authorization Bypass Through User-Controlled Key vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-APOSTROPHE-16083669
- published16 Apr 2026
- disclosed15 Apr 2026
- creditoffset
Introduced: 15 Apr 2026
NewCVE-2026-39857 (opens in a new tab)How to fix?
Upgrade apostrophe to version 4.29.0 or higher.
Overview
apostrophe is a content management system (CMS) for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS.
Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the choices and counts query parameters in the REST API, which execute MongoDB distinct operations without applying field projection restrictions. An attacker can bypass publicApiProjection restrictions to retrieve all values for any schema field that has a registered query builder, including those protected by view permissions. The response may include sensitive information from fields that should not be publicly accessible, of types such as string, integer, float, select, boolean, date, slug, and relationship, as well as document counts for each value.