High severityNVD Advisory· Published Mar 18, 2026· Updated Mar 19, 2026
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
CVE-2026-32730
Description
ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in @apostrophecms/express/index.js (lines 386-389) contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA requirements were NOT — to be used as fully authenticated bearer tokens. This completely bypasses multi-factor authentication for any ApostropheCMS deployment using @apostrophecms/login-totp or any custom afterPasswordVerified login requirement. Version 4.28.0 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apostrophenpm | < 4.28.0 | 4.28.0 |
Affected products
1- Range: < 4.28.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-v9xm-ffx2-7h35ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32730ghsaADVISORY
- github.com/apostrophecms/apostrophe/security/advisories/GHSA-v9xm-ffx2-7h35ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.