CVE-2026-39857

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.29.0

Description An authorization bypass exists in the REST API of this open-source Node.js content management system. Unauthenticated attackers can extract all distinct field values for any schema field type that has a registered query builder, including string, integer, float, select, boolean, date, slug, and relationship fields. This occurs because the choices and counts query parameters execute MongoDB distinct() operations that do not respect publicApiProjection restrictions or viewPermission protections intended to limit public field exposure. The counts parameter further reveals the number of documents associated with each distinct value. Both the piece-type and page REST APIs are affected.

Recommendations Update to version 4.29.0. As a temporary workaround, restrict access to the choices and counts query parameters in the REST API to minimize the risk of data extraction.