CVE-2026-32730

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions 3.0.0 through 4.27.1

Description ApostropheCMS contains a flaw in the bearer token authentication middleware located in @apostrophecms/express/index.js. An incorrect MongoDB query allows incomplete login tokens – where password verification occurred but multi-factor authentication (MFA) requirements were not met – to be utilized as fully authenticated bearer tokens. This bypasses MFA for any ApostropheCMS deployment utilizing @apostrophecms/login-totp or custom afterPasswordVerified login requirements. The issue stems from the use of the $ne: [] MongoDB operator in the query, which incorrectly matches tokens with unverified requirements. Additionally, a separate bug in @apostrophecms/login/index.js prevents the deletion of incomplete tokens, exacerbating the vulnerability. An attacker with a victim's username and password, but lacking their TOTP code, can exploit this flaw to gain full API access. The API endpoint /api/v1/@apostrophecms/page is accessible with the compromised bearer token. The vulnerable parameter is the bearer token itself, passed in the Authorization header.

Recommendations Update to ApostropheCMS version 4.28.0 or later. Replace $ne: [] with $size: 0 in the bearer token query located in @apostrophecms/express/index.js (line 388). Replace token.userId with token. id in the token deletion logic within @apostrophecms/login/index.js (lines 728-729 and 735-736).