CVE-2026-32730
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens โ where the password was verified but TOTP/MFA requirements were NOT โ to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue.
| CWE | CWE-287 CWE-305 |
| Vendor | apostrophecms |
| Product | apostrophe |
| Published | Mar 18, 2026 |
| Last Updated | Mar 19, 2026 |
Stay Ahead of the Next One
Get instant alerts for apostrophecms apostrophe
Be the first to know when new high vulnerabilities affecting apostrophecms apostrophe are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
apostrophecms / apostrophe
< 4.28.0