CVE-2026-33888: ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API
The getRestQuery method in the @apostrophecms/piece-type module checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request to pre-populate the projection state, causing the security-enforced publicApiProjection to be skipped entirely. This allows disclosure of fields that the site administrator explicitly restricted from public access.
References
- github.com/advisories/GHSA-xhq9-58fw-859p
- github.com/apostrophecms/apostrophe
- github.com/apostrophecms/apostrophe/commit/00d472804bb622df36a761b6f2cf2b33b2d4ce80
- github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa
- github.com/apostrophecms/apostrophe/security/advisories/GHSA-xhq9-58fw-859p
- nvd.nist.gov/vuln/detail/CVE-2026-33888
Code Behaviors & Features
Detect and mitigate CVE-2026-33888 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →