ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API

Severity:: Medium

Description

The getRestQuery method in the @apostrophecms/piece-type module checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection.

Recommendation

Update the apostrophe package to the latest compatible version. Followings are version details:

Affected version(s): < 4.29.0
Patched version(s): 4.29.0

References

GHSA-xhq9-58fw-859p
CVE-2026-33888
CWE-200
CWE-863
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware - CVE-2026-32730
ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictio - CVE-2026-39857
Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498

10 Secure Coding Best Practices to Follow in Every Project

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

How to Secure your NodeJs Express Javascript Application - part 2

Tags:: npm; apostrophe

Anything's wrong? Let us know Last updated on April 16, 2026