Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40keystone-6/core@5.5.1
Typenpm
Namespace@keystone-6
Namecore
Version5.5.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.5.2
Latest_non_vulnerable_version6.5.2
Affected_by_vulnerabilities
0
url VCID-5kdx-3r3z-nye2
vulnerability_id VCID-5kdx-3r3z-nye2
summary 
@keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany (CVE-2025-46720 incomplete fix)
# Summary  
`{field}.isFilterable` access control can be bypassed in `findMany` queries by passing a `cursor`.  This can be used to confirm the existence of records by protected field values.

The fix for [CVE-2025-46720](https://github.com/keystonejs/keystone/security/advisories/GHSA-hg9m-67mm-7pg3) (field-level `isFilterable` bypass for update and delete mutations) added checks to the `where` parameter in `update` and `delete` mutations however the `cursor` parameter in `findMany` was not patched and accepts the same `UniqueWhere` input type.

# Impact  
This affects any project relying on `isFilterable` behaviour (at the list or field level) to prevent external users from using the filtering of fields as a discovery mechanism. `isFilterable` access control using a function can be bypassed by using the `cursor` input.

This has no impact on projects using `isFilterable: false` or `defaultIsFilterable: false` for sensitive fields, or if you have otherwise omitted filtering by these fields from your GraphQL schema. (See workarounds)

# Patches  
This issue has been patched in `@keystone-6/core` version 6.5.2.

# Workarounds  
To mitigate this issue in older versions where patching is not a viable pathway.

- Set `{field}.isFilterable: false` statically for relevant fields to prevent filtering by them earlier in the access control pipeline (that is, don't use functions)
- Set `{field}.graphql.omit.read: true` for relevant fields, which implicitly removes filtering by these fields your GraphQL schema
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33326
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02287
published_at 2026-06-05T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.02293
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33326
1
reference_url https://github.com/keystonejs/keystone
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keystonejs/keystone
2
reference_url https://github.com/keystonejs/keystone/security/advisories/GHSA-cgcg-q9jh-5pr2
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:37:00Z/
url https://github.com/keystonejs/keystone/security/advisories/GHSA-cgcg-q9jh-5pr2
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33326
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33326
4
reference_url https://github.com/advisories/GHSA-cgcg-q9jh-5pr2
reference_id GHSA-cgcg-q9jh-5pr2
reference_type
scores
url https://github.com/advisories/GHSA-cgcg-q9jh-5pr2
fixed_packages
0
url pkg:npm/%40keystone-6/core@6.5.2
purl pkg:npm/%40keystone-6/core@6.5.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@6.5.2
aliases CVE-2026-33326, GHSA-cgcg-q9jh-5pr2
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5kdx-3r3z-nye2
1
url VCID-gxmq-8d4q-xqdm
vulnerability_id VCID-gxmq-8d4q-xqdm
summary 
Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields
`{field}.isFilterable` access control can be bypassed in `update` and `delete` mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields.

Specifically, when a mutation includes a `where` clause with multiple unique filters (e.g. `id` and `email`), Keystone will attempt to match records even if filtering by the latter fields would normally be rejected by `field.isFilterable` or `list.defaultIsFilterable`. This can allow malicious actors to infer the presence of a particular field value when a filter is successful in returning a result.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-46720
reference_id
reference_type
scores
0
value 0.00062
scoring_system epss
scoring_elements 0.19561
published_at 2026-06-05T12:55:00Z
1
value 0.00062
scoring_system epss
scoring_elements 0.19556
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-46720
1
reference_url https://github.com/keystonejs/keystone
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/keystonejs/keystone
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-46720
reference_id CVE-2025-46720
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-46720
3
reference_url https://github.com/advisories/GHSA-hg9m-67mm-7pg3
reference_id GHSA-hg9m-67mm-7pg3
reference_type
scores
url https://github.com/advisories/GHSA-hg9m-67mm-7pg3
4
reference_url https://github.com/keystonejs/keystone/security/advisories/GHSA-hg9m-67mm-7pg3
reference_id GHSA-hg9m-67mm-7pg3
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-05T18:59:54Z/
url https://github.com/keystonejs/keystone/security/advisories/GHSA-hg9m-67mm-7pg3
fixed_packages
0
url pkg:npm/%40keystone-6/core@6.5.0
purl pkg:npm/%40keystone-6/core@6.5.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5kdx-3r3z-nye2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@6.5.0
aliases CVE-2025-46720, GHSA-hg9m-67mm-7pg3
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gxmq-8d4q-xqdm
Fixing_vulnerabilities
0
url VCID-ppy6-36tw-sqft
vulnerability_id VCID-ppy6-36tw-sqft
summary 
Missing Authorization
Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When `ui.isAccessAllowed` is set as `undefined`, the `adminMeta` GraphQL query is publicly accessible (no session required). This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible (no session required) if a `session` strategy is not defined. This vulnerability does not affect developers using the `@keystone-6/auth` package, or any users that have written their own `ui.isAccessAllowed` (that is to say, `isAccessAllowed` is not `undefined`). This vulnerability does affect users who believed that their `session` strategy will, by default, enforce that `adminMeta` is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware. This vulnerability has been patched in `@keystone-6/core` version `5.5.1`. Users are advised to upgrade. Users unable to upgrade may opt to write their own `isAccessAllowed` functionality to work-around this vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-40027
reference_id
reference_type
scores
0
value 0.00321
scoring_system epss
scoring_elements 0.55432
published_at 2026-06-06T12:55:00Z
1
value 0.00321
scoring_system epss
scoring_elements 0.55427
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-40027
1
reference_url https://github.com/keystonejs/keystone
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keystonejs/keystone
2
reference_url https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:13Z/
url https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284
3
reference_url https://github.com/keystonejs/keystone/pull/8771
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:13Z/
url https://github.com/keystonejs/keystone/pull/8771
4
reference_url https://github.com/keystonejs/keystone/releases/tag/2023-08-15
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keystonejs/keystone/releases/tag/2023-08-15
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40027
reference_id CVE-2023-40027
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-40027
6
reference_url https://github.com/advisories/GHSA-9cvc-v7wm-992c
reference_id GHSA-9cvc-v7wm-992c
reference_type
scores
url https://github.com/advisories/GHSA-9cvc-v7wm-992c
7
reference_url https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c
reference_id GHSA-9cvc-v7wm-992c
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:13Z/
url https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c
fixed_packages
0
url pkg:npm/%40keystone-6/core@5.5.1
purl pkg:npm/%40keystone-6/core@5.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5kdx-3r3z-nye2
1
vulnerability VCID-gxmq-8d4q-xqdm
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@5.5.1
aliases CVE-2023-40027, GHSA-9cvc-v7wm-992c
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ppy6-36tw-sqft
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540keystone-6/core@5.5.1