CVE-2026-39857: ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions

April 16, 2026

The choices and counts query parameters in the Apostrophe CMS REST API allow unauthenticated users to extract distinct field values for any schema field that has a registered query builder, completely bypassing publicApiProjection restrictions that are intended to limit which fields are exposed publicly. Fields protected by viewPermission are similarly exposed.

References

github.com/advisories/GHSA-c276-fj82-f2pq
github.com/apostrophecms/apostrophe
github.com/apostrophecms/apostrophe/commit/6c2b548dec2e3f7a82e8e16736603f4cd17525aa
github.com/apostrophecms/apostrophe/security/advisories/GHSA-c276-fj82-f2pq
nvd.nist.gov/vuln/detail/CVE-2026-39857

Code Behaviors & Features

Detect and mitigate CVE-2026-39857 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →