CVE-2023-40027

Name of the Vulnerable Software and Affected Versions @keystone-6/core versions prior to 5.5.1

Description The issue arises when ui.isAccessAllowed is set as undefined, making the adminMeta GraphQL query publicly accessible without requiring a session. This behavior differs from the default AdminUI middleware, which only allows public access if a session strategy is not defined. The vulnerability affects users who rely on their session strategy to restrict public access to adminMeta by default, similar to the AdminUI middleware's behavior. It does not affect developers using the @keystone-6/auth package or those who have defined their own ui.isAccessAllowed functionality.

Recommendations For versions prior to 5.5.1, upgrade to version 5.5.1 to resolve the issue. As a temporary workaround for users unable to upgrade, consider writing your own isAccessAllowed functionality to mitigate the vulnerability.