Homepage

Information Exposure Affecting @keystone-6/core package, versions <6.5.2

Severity

 Recommended
0.0
low
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-KEYSTONE6CORE-15701281
  • published20 Mar 2026
  • disclosed19 Mar 2026
  • creditTergel Galbadrakh
Report a new vulnerability Found a mistake?

Introduced: 19 Mar 2026

NewCVE-2026-33326  (opens in a new tab)
CWE-203  (opens in a new tab)

How to fix?

Upgrade @keystone-6/core to version 6.5.2 or higher.

Overview

Affected versions of this package are vulnerable to Information Exposure when applying isFilterable to sensitive data. By adding malicious uniqueness filters to the where clause of an update or delete operation, a user can infer the presence of specific values in records the user does not have permission to read.

Notes:

  1. This vulnerability has no impact on fields to which isFilterable: false or defaultIsFilterable: false are applied

  2. This is caused by an incomplete fix for CVE-2025-46720

Workaround

This vulnerability can be avoided by any of the following means:

  • setting isFilterable: false statically for sensitive fields

  • setting {field}.graphql.omit.read: true for sensitive fields

  • denying all update and delete operations for the lists containing sensitive values

CVSS Base Scores

version 4.0
version 3.1