{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T02:32:40.461","vulnerabilities":[{"cve":{"id":"CVE-2026-32730","sourceIdentifier":"security-advisories@github.com","published":"2026-03-18T23:17:29.370","lastModified":"2026-03-24T21:34:09.467","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in `@apostrophecms/express/index.js` (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were NOT — to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using `@apostrophecms/login-totp` or any custom `afterPasswordVerified` login requirement. Version 4.28.0 fixes the issue."},{"lang":"es","value":"ApostropheCMS es un framework de gestión de contenido de código abierto. Antes de la versión 4.28.0, el middleware de autenticación de token de portador en `@apostrophecms/express/index.js` (líneas 386-389) contiene una consulta de MongoDB incorrecta que permite que tokens de inicio de sesión incompletos — donde la contraseña fue verificada pero los requisitos de TOTP/MFA NO lo fueron — sean usados como tokens de portador completamente autenticados. Esto omite completamente la autenticación multifactor para cualquier despliegue de ApostropheCMS que use `@apostrophecms/login-totp` o cualquier requisito de inicio de sesión `afterPasswordVerified` personalizado. La versión 4.28.0 corrige el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-287"},{"lang":"en","value":"CWE-305"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apostrophecms:apostrophecms:*:*:*:*:*:*:*:*","versionEndExcluding":"4.28.0","matchCriteriaId":"01CB37B4-4FF5-4E4D-97B7-AB8E66630F97"}]}]}],"references":[{"url":"https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-v9xm-ffx2-7h35","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}