216.73.217.176

CVE-2026-32730

· Published 18/03/2026 23:17 · Modified 19/03/2026 13:25

Labels: CVE-2026-32730 2026-03-18CVE-2026-32730CWE-287[email protected]

Essential information

Published
18/03/2026 23:17
Modified
19/03/2026 13:25
Author
Creator
CVSS
8.1 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were NOT — to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
apostrophecms / apostrophecms cpe:2.3:a:apostrophecms:apostrophecms:<4.28.0:*:*:*:*:*:*:*
apostrophecms / login-totp cpe:2.3:a:apostrophecms:login-totp:*:*:*:*:*:*:*:*

References