ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictio
- Severity:
- Medium
Description
The choices and counts query parameters in the Apostrophe CMS REST API allow unauthenticated users to extract distinct field values for any schema field that has a registered query builder, completely bypassing publicApiProjection restrictions that are intended to limit which fields are exposed publicly.
Recommendation
Update the apostrophe package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.28.0
- Patched version(s): 4.29.0
References
Related Issues
- ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API - CVE-2026-33888
- ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware - CVE-2026-32730
- ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context - CVE-2026-33889
- Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget - CVE-2026-45012
You might also like:
- Tags:
- npm
- apostrophe
Anything's wrong? Let us know Last updated on April 16, 2026