N0Wsh

**Name of the Vulnerable Software and Affected Versions** Keystone versions prior to 6.5.2 **Description** Keystone is a content management system for Node.js. An access control bypass exists in `findMany` queries through the `cursor` parameter. Specifically, the `{field}.isFilterable` access control can be circumvented, potentially allowing confirmation of the existence of records with protected field values. The fix for a related issue (CVE-2025-46720) addressed the `where` parameter in `update` and `delete` mutations but did not include the `cursor` parameter in `findMany`. This allows bypassing `isFilterable` access control using a function. The issue impacts projects relying on `isFilterable` behavior to prevent external users from using filtering as a discovery mechanism. The API endpoint affected is `findMany`. The vulnerable parameter is `cursor`. **Recommendations** Update to Keystone version 6.5.2 or later. As a workaround, set `{field}.isFilterable: false` statically for relevant fields. As a workaround, set `{field}.graphql.omit.read: true` for relevant fields.