CVE-2026-33888

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.29.0

Description An authorization bypass exists in the getRestQuery() function of the @apostrophecms/piece-type module. The function checks if a MongoDB projection is already set before applying the administrator-configured publicApiProjection. An unauthenticated attacker can provide a project query parameter in a REST API request, which is processed by applyBuildersSafely() before the permission check. This pre-populates the projection state, causing the system to skip the publicApiProjection entirely. Consequently, this allows the disclosure of any field on publicly queryable documents that the administrator explicitly restricted from the public API, such as internal notes, draft content, or metadata.

Recommendations Update to version 4.29.0.