Permalink
CVE-2026-32730
8.1 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were NOT — to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue.
References
Affected products
apostrophe
- ==< 4.28.0
Package maintainers
-
@getchoo Seth Flynn <getchoo@tuta.io>
-
@Aleksanaa Aleksana QwQ <me@aleksana.moe>
-
@sternenseemann Lukas Epple <sternenseemann@systemli.org>
-
@michaelgrahamevans Michael Evans <michaelgrahamevans@gmail.com>