CVE-2026-39857

CVE-2026-39857 is a medium-severity security vulnerability in apostrophe (npm), affecting versions <= 4.28.0. It is fixed in 4.29.0.

Summary

The choices and counts query parameters in the Apostrophe CMS REST API allow unauthenticated users to extract distinct field values for any schema field that has a registered query builder, completely bypassing publicApiProjection restrictions that are intended to limit which fields are exposed publicly. Fields protected by viewPermission are similarly exposed.

Details

When a piece type configures publicApiProjection to enable public API access while restricting visible fields, the restriction is enforced via a MongoDB projection on the main query (piece-type/index.js:1130-1134). However, the choices and counts query builders bypass this protection through a separate code path.

The vulnerable flow:

  1. getRestQuery at piece-type/index.js:1120 calls applyBuildersSafely(req.query) (line 1122), which processes query parameters including choices and counts since both have launder methods (doc-type/index.js:2627-2628 and 2675-2676).

  2. The publicApiProjection is applied afterward (line 1130-1134) as a MongoDB projection on the main query.

  3. During query execution, the choices builder's after handler (doc-type/index.js:2636-2668) iterates over requested field names. The only validation is:

    • The field has a registered builder (_.has(query.builders, filter) at line 2651)
    • The builder has a launder method (line 2656)

    All schema field types (string, integer, float, select, boolean, date, slug, relationship) register query builders with launder methods via addQueryBuilder in addFieldTypes.js.

  4. toChoices (line 2661) calls the field's choices function, which typically calls sortedDistincttoDistinct. The toDistinct method (doc-type/index.js:2811) executes db.distinct(property, criteria), a MongoDB operation that returns all distinct values for the given property matching the criteria. MongoDB's distinct operation does not respect projections; it operates directly on the specified field regardless of any projection set on the query.

  5. The results are stored via query.set('choicesResults', choices) (line 2666) and returned directly in the API response at piece-type/index.js:292-296 without any filtering against publicApiProjection or removeForbiddenFields.

The same bypass applies to viewPermission-protected fields: removeForbiddenFields (doc-type/index.js:1585-1611) only processes document results from toArray(), not the separate choices/counts data.

The page REST API has the same issue at page/index.js:371-376.

PoC

# Prerequisites:
# - An Apostrophe 4.x instance with a piece type configured with publicApiProjection
# - Example: an 'article' piece type with:
#   publicApiProjection: { title: 1, slug: 1, _url: 1 }
#   and additional schema fields like 'status' (select), 'priority' (integer),
#   or 'internalNotes' (string) NOT in the projection

# 1. Verify normal API access only returns projected fields
curl -s 'http://localhost:3000/api/v1/article' | python3 -m json.tool
# Response results contain only: title, slug, _url (as configured)

# 2. Extract distinct values of a non-projected field via choices
curl -s 'http://localhost:3000/api/v1/article?choices=status' | python3 -m json.tool
# Response includes:
# "choices": {"status": [{"value": "draft", "label": "draft"}, {"value": "published", "label": "published"}, ...]}

# 3. Extract distinct values with document counts via counts
curl -s 'http://localhost:3000/api/v1/article?counts=priority' | python3 -m json.tool
# Response includes:
# "counts": {"priority": [{"value": 1, "label": "1", "count": 15}, {"value": 2, "label": "2", "count": 8}, ...]}

# 4. Multiple fields can be extracted at once
curl -s 'http://localhost:3000/api/v1/article?choices=status,priority,internalNotes'

Impact

  • Distinct field values leaked: An unauthenticated attacker can extract all distinct values of any schema field on any piece type that has publicApiProjection configured, even when those fields are explicitly excluded from the projection.
  • Field types affected: All field types that register query builders: string, slug, integer, float, select, boolean, date, and relationship fields.
  • Count disclosure: The counts variant additionally reveals how many documents have each distinct value, providing statistical information about the dataset.
  • viewPermission bypass: Fields protected with viewPermission (intended for role-based field access) are also exposed via this path.
  • Both APIs affected: The piece-type REST API (piece-type/index.js:292-296) and page REST API (page/index.js:371-376) are both vulnerable.
  • Real-world impact: If a CMS stores sensitive data in schema fields (e.g., internal status values, priority levels, internal categories, user-facing content marked as restricted), all distinct values are extractable by any unauthenticated visitor.

CVE-2026-39857 has a CVSS score of 5.3 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.29.0); upgrading removes the vulnerable code path.

Affected versions

apostrophe (<= 4.28.0)

Security releases

apostrophe → 4.29.0 (npm)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

In the choices builder's after handler (doc-type/index.js:2636-2668), add validation to skip fields not permitted by publicApiProjection and viewPermission:

// doc-type/index.js, in the choices builder's after handler (line 2644 area)
for (const filter of filters) {
  if (!_.has(query.builders, filter)) {
    continue;
  }
  if (!query.builders[filter].launder) {
    continue;
  }

  // NEW: Enforce publicApiProjection restrictions on choices/counts
  const publicApiProjection = query.get('project');
  if (publicApiProjection && !publicApiProjection[filter]) {
    continue;
  }

  // NEW: Enforce viewPermission field restrictions
  const field = self.schema.find(f => f.name === filter);
  if (field && field.viewPermission &&
      !self.apos.permission.can(query.req, field.viewPermission.action, field.viewPermission.type)) {
    continue;
  }

  const _query = baseQuery.clone();
  _query[filter](null);
  choices[filter] = await _query.toChoices(filter, { counts: query.get('counts') });
}

Additionally, apply the same fix in the page REST API handler (page/index.js) for consistency.

Frequently Asked Questions

  1. What is CVE-2026-39857? CVE-2026-39857 is a medium-severity security vulnerability in apostrophe (npm), affecting versions <= 4.28.0. It is fixed in 4.29.0.
  2. How severe is CVE-2026-39857? CVE-2026-39857 has a CVSS score of 5.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of apostrophe are affected by CVE-2026-39857? apostrophe (npm) versions <= 4.28.0 is affected.
  4. Is there a fix for CVE-2026-39857? Yes. CVE-2026-39857 is fixed in 4.29.0. Upgrade to this version or later.
  5. Is CVE-2026-39857 exploitable, and should I be worried? Whether CVE-2026-39857 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-39857 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-39857? Upgrade apostrophe to 4.29.0 or later.

Other vulnerabilities in apostrophe

CVE-2026-45011CVE-2026-45013CVE-2026-45012CVE-2026-39857CVE-2026-33889

Stop the waste.
Protect your environment with Kodem.