CVE-2026-33326

Name of the Vulnerable Software and Affected Versions Keystone versions prior to 6.5.2

Description Keystone is a content management system for Node.js. An access control bypass exists in findMany queries through the cursor parameter. Specifically, the {field}.isFilterable access control can be circumvented, potentially allowing confirmation of the existence of records with protected field values. The fix for a related issue (CVE-2025-46720) addressed the where parameter in update and delete mutations but did not include the cursor parameter in findMany. This allows bypassing isFilterable access control using a function. The issue impacts projects relying on isFilterable behavior to prevent external users from using filtering as a discovery mechanism. The API endpoint affected is findMany. The vulnerable parameter is cursor.

Recommendations Update to Keystone version 6.5.2 or later. As a workaround, set {field}.isFilterable: false statically for relevant fields. As a workaround, set {field}.graphql.omit.read: true for relevant fields.