CVE-2026-32730 | THREATINT

Description

ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were NOT — to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue.

PUBLISHED Reserved 2026-03-13 | Published 2026-03-18 | Updated 2026-03-19 | Assigner GitHub_M

HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-287: Improper Authentication

CWE-305: Authentication Bypass by Primary Weakness

Product status

< 4.28.0

affected

References

github.com/...trophe/security/advisories/GHSA-v9xm-ffx2-7h35

cve.org (CVE-2026-32730)

nvd.nist.gov (CVE-2026-32730)

Download JSON