CVE-2026-33326

MEDIUM

@keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany

Title source: cna

Description

Keystone is a content management system for Node.js. Prior to version 6.5.2, {field}.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 (field-level isFilterable bypass for update and delete mutations) added checks to the where parameter in update and delete mutations however the cursor parameter in findMany was not patched and accepts the same UniqueWhere input type. This issue has been patched in version 6.5.2.

References (1)

[X_Refsource_Confirm] https://github.com/keystonejs/keystone/security/advisories/GHSA-cgcg-q9jh-5pr2

Scores

CVSS v3 4.3

EPSS 0.0001

EPSS Percentile 1.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (2)

keystone-6/core 0 - 6.5.2npm

keystonejs/keystone < 6.5.2

Published Mar 24, 2026

Tracked Since Mar 25, 2026