@keystone-6/core vulnerable to field-level access-control bypass for multiselect field
Description
@keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their multiselect fields to use the field-level access control - if configured - are vulnerable to their field-level access control not being used. List-level access control is not affected. Field-level access control for fields other than multiselect are not affected. Version 2.3.1 contains a fix for this issue. As a workaround, stop using the multiselect field.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@keystone-6/corenpm | >= 2.2.0, < 2.3.1 | 2.3.1 |
Affected products
1- Range: >= 2.2.0, < 2.3.1
Patches
165c6ee3deef2Fix multiselect field type not propagating common config options (#8007)
2 files changed · +6 −2
.changeset/two-ghosts-jog.md+5 −0 added@@ -0,0 +1,5 @@ +--- +'@keystone-6/core': patch +--- + +Fixes the multiselect field type not using the provided `label`, `access`, `graphql`, `isFilterable` or `isOrderable` configuration options
packages/core/src/fields/types/multiselect/index.ts+1 −2 modified@@ -52,7 +52,6 @@ const MIN_INT = -2147483648; export const multiselect = <ListTypeInfo extends BaseListTypeInfo>({ - ui, defaultValue = [], ...config }: MultiselectFieldConfig<ListTypeInfo>): FieldTypeFunc<ListTypeInfo> => @@ -107,7 +106,7 @@ export const multiselect = return jsonFieldTypePolyfilledForSQLite( meta.provider, { - ui, + ...config, hooks: { ...config.hooks, async validateInput(args) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.