CVE-2026-39857: Information Disclosure via Authorization Bypass in ApostropheCMS REST API

Vulnerability ID: CVE-2026-39857
CVSS Score: 5.3
Published: 2026-04-16

ApostropheCMS versions 4.28.0 and prior contain an authorization bypass vulnerability in the REST API's 'choices' and 'counts' query builders. These parameters execute MongoDB aggregation operations that bypass configured public API projections, permitting unauthenticated attackers to extract distinct values for restricted schema fields.

TL;DR

Unauthenticated attackers can bypass API projections in ApostropheCMS <= 4.28.0 using the 'choices' and 'counts' parameters to exfiltrate restricted field data.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-863
Attack Vector: Network
CVSS v3.1: 5.3
EPSS Score: 0.00037
Impact: Confidentiality (Low)
Exploitation Status: PoC Available
CISA KEV: No

Affected Systems

ApostropheCMS <= 4.28.0
Node.js Applications using ApostropheCMS
ApostropheCMS: <= 4.28.0 (Fixed in: 4.29.0)

Code Analysis

Commit: 6c2b548

Fix: Apply projection and viewPermission checks to distinct() queries for choices and counts endpoints

Exploit Details

GitHub Advisory: PoC exists within the official fix commit test cases.

Mitigation Strategies

Upgrade application core components to the latest stable release.
Implement strict Web Application Firewall (WAF) rules to filter specific query parameters.
Audit public API endpoint projections and explicit field exclusion configurations.

Remediation Steps:

Verify current ApostropheCMS version via package.json.
Execute package manager update to install ApostropheCMS >= 4.29.0.
Review and test piece and page type schemas for correct publicApiProjection syntax.
Deploy WAF rules blocking 'choices' and 'counts' parameters on REST endpoints if patching is delayed.