CVE-2026-32730
Published: 18 March 2026
Summary
CVE-2026-32730 is a high-severity Improper Authentication (CWE-287) vulnerability in Apostrophecms Apostrophecms. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-32730 is a high-severity authentication bypass vulnerability (CVSS 8.1, CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting ApostropheCMS, an open-source content management framework, in versions prior to 4.28.0. The issue resides in the bearer token authentication middleware within `@apostrophecms/express/index.js` (lines 386-389), where an incorrect MongoDB query permits incomplete login tokens—those that have verified only the password but skipped TOTP/MFA requirements—to function as fully authenticated bearer tokens. This flaw impacts any ApostropheCMS deployment utilizing `@apostrophecms/login-totp` or custom `afterPasswordVerified` login mechanisms, mapped to CWEs-287 (Improper Authentication) and CWE-305 (Incorrect Authorization).
An attacker with network access and knowledge of a valid user password can exploit this vulnerability despite high attack complexity. By initiating a login with just the password (bypassing MFA), they obtain a bearer token that the middleware incorrectly validates as complete, granting full authenticated access equivalent to a legitimate MFA-approved session. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, such as unauthorized data access, modification, or denial of service within the ApostropheCMS instance.
The official GitHub security advisory at https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-v9xm-ffx2-7h35 details the fix in ApostropheCMS version 4.28.0, which corrects the MongoDB query in the authentication middleware to properly enforce MFA and custom post-password checks. Security practitioners should upgrade to 4.28.0 or later and review deployments for exposure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12975
Vulnerability details
ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were…
more
NOT — to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing ApostropheCMS web app (bearer token/MFA flaw) directly enables remote exploitation of the application for initial access (T1190) and abuse of valid accounts without completing MFA (T1078).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring identification, reporting, and correction of the specific flaw in the bearer token authentication middleware's MongoDB query.
Ensures proper implementation and enforcement of multi-factor authentication for organizational users, preventing acceptance of incomplete login tokens lacking TOTP/MFA verification.
Requires mechanisms to enforce approved authorizations, addressing the incorrect access decisions made by the flawed authentication middleware.