ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
- Severity:
- High
Description
No description available.
Recommendation
Update the apostrophe package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.27.1
- Patched version(s): 4.28.0
References
Related Issues
- Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
- Parse Server has a protected fields bypass via dot-notation in query and sort - CVE-2026-31872
- @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware - CVE-2026-29087
- Parse Server has a protected fields bypass via logical query operators - CVE-2026-30962
- Tags:
- npm
- apostrophe
Anything's wrong? Let us know Last updated on March 19, 2026