Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-pt6d-cm84-e7c4
Vulnerability ID VCID-pt6d-cm84-e7c4
Aliases CVE-2026-39857
GHSA-c276-fj82-f2pq
Summary ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct() operations that bypass the publicApiProjection restrictions intended to limit which fields are exposed publicly. The choices and counts parameters are processed via applyBuildersSafely before the projection is applied, and MongoDB's distinct operation does not respect projections, returning all distinct values directly. The results are returned in the API response without any filtering against publicApiProjection or removeForbiddenFields. An unauthenticated attacker can extract all distinct field values for any schema field type that has a registered query builder, including string, integer, float, select, boolean, date, slug, and relationship fields. Fields protected with viewPermission are similarly exposed, and the counts variant additionally reveals how many documents have each distinct value. Both the piece-type and page REST APIs are affected. This issue has been fixed in version 4.29.0.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2026-39857
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2026-39857
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2026-39857
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-c276-fj82-f2pq
cvssv3.1 5.3 https://github.com/apostrophecms/apostrophe
generic_textual MODERATE https://github.com/apostrophecms/apostrophe
cvssv3.1 5.3 https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa
generic_textual MODERATE https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa
ssvc Track https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa
cvssv3.1 5.3 https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq
cvssv3.1_qr MODERATE https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq
generic_textual MODERATE https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq
ssvc Track https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2026-39857
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-39857
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-39857
https://github.com/apostrophecms/apostrophe
https://nvd.nist.gov/vuln/detail/CVE-2026-39857
6c2b548dec2e3f7a82e8e16736603f4cd17525aa https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa
GHSA-c276-fj82-f2pq https://github.com/advisories/GHSA-c276-fj82-f2pq
GHSA-c276-fj82-f2pq https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/apostrophecms/apostrophe
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-16T13:40:14Z/ Found at https://github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-16T13:40:14Z/ Found at https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-39857
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.09359
EPSS Score 0.00031
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:45:59.589859+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/39xxx/CVE-2026-39857.json 38.6.0