ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
- Severity:
- High
Description
No description available.
Recommendation
Update the apostrophe package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.27.1
- Patched version(s): 4.28.0
References
Related Issues
- ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API - CVE-2026-33888
- ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictio - CVE-2026-39857
- Parse Server has an MFA single-use token bypass via concurrent authData login requests - CVE-2026-34224
- ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context - CVE-2026-33889
You might also like:
- Tags:
- npm
- apostrophe
Anything's wrong? Let us know Last updated on March 19, 2026