CVE-2026-32730

HIGH

ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware

Title source: cna

Description

ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were NOT — to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue.

References (1)

[X_Refsource_Confirm] https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-v9xm-ffx2-7h35

Scores

CVSS v3 8.1

EPSS 0.0010

EPSS Percentile 26.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-287 CWE-305

Status published

Products (3)

apostrophecms/apostrophe < 4.28.0

apostrophecms/apostrophecms < 4.28.0

npm/apostrophe 0 - 4.28.0npm

Published Mar 18, 2026

Tracked Since Mar 19, 2026