Cyber Resilience

CVE-2026-32730

HighPublic PoC

Published: 18 March 2026

Published
18 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0036 28.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32730 is a high-severity Improper Authentication (CWE-287) vulnerability in Apostrophecms Apostrophecms. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32730 is a high-severity authentication bypass vulnerability (CVSS 8.1, CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting ApostropheCMS, an open-source content management framework, in versions prior to 4.28.0. The issue resides in the bearer token authentication middleware within `@apostrophecms/express/index.js` (lines 386-389), where an incorrect MongoDB query permits incomplete login tokens—those that have verified only the password but skipped TOTP/MFA requirements—to function as fully authenticated bearer tokens. This flaw impacts any ApostropheCMS deployment utilizing `@apostrophecms/login-totp` or custom `afterPasswordVerified` login mechanisms, mapped to CWEs-287 (Improper Authentication) and CWE-305 (Incorrect Authorization).

An attacker with network access and knowledge of a valid user password can exploit this vulnerability despite high attack complexity. By initiating a login with just the password (bypassing MFA), they obtain a bearer token that the middleware incorrectly validates as complete, granting full authenticated access equivalent to a legitimate MFA-approved session. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, such as unauthorized data access, modification, or denial of service within the ApostropheCMS instance.

The official GitHub security advisory at https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-v9xm-ffx2-7h35 details the fix in ApostropheCMS version 4.28.0, which corrects the MongoDB query in the authentication middleware to properly enforce MFA and custom post-password checks. Security practitioners should upgrade to 4.28.0 or later and review deployments for exposure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were…

more

NOT — to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Authentication bypass in public-facing ApostropheCMS web app (bearer token/MFA flaw) directly enables remote exploitation of the application for initial access (T1190) and abuse of valid accounts without completing MFA (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35569Same product: Apostrophecms Apostrophecms
CVE-2026-32731Same vendor: Apostrophecms
CVE-2024-12919Shared CWE-287
CVE-2026-3655Shared CWE-287
CVE-2026-0953Shared CWE-287
CVE-2026-5722Shared CWE-287
CVE-2026-30949Shared CWE-287
CVE-2026-23906Shared CWE-287
CVE-2025-67822Shared CWE-287
CVE-2025-1475Shared CWE-287

Affected Assets

apostrophecms
apostrophecms
≤ 4.28.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring identification, reporting, and correction of the specific flaw in the bearer token authentication middleware's MongoDB query.

prevent

Ensures proper implementation and enforcement of multi-factor authentication for organizational users, preventing acceptance of incomplete login tokens lacking TOTP/MFA verification.

prevent

Requires mechanisms to enforce approved authorizations, addressing the incorrect access decisions made by the flawed authentication middleware.

References