HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53609Published Modified CNA GitHub_M

CVE-2026-53609: Apostrophe has Server-Side Prototype Pollution in apos.util.set via patch operators that leads to process-wide authorization bypass

ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, `apos.util.set()` traverses dot-notation paths without sanitizing `__proto__`, allowing an authenticated editor to write arbitrary values to `Object.prototype` via the `$pullAll` patch operator. A confirmed gadget in `publicApiCheck()` causes this to bypass authorization on all piece-type REST API endpoints for every subsequent unauthenticated request, for the lifetime of the Node.js process. As of time of publication, no known patched versions are available.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Server-side prototype pollution in ApostropheCMS (versions up to and including 4.30.0) allows an authenticated editor to write arbitrary values to Object.prototype via the apos.util.set() function by passing unsanitized __proto__ keys through the $pullAll patch operator. The attack is reachable over the network with a low-privilege account and no victim interaction required. Successful exploitation activates a confirmed gadget in publicApiCheck() that disables authorization checks on all piece-type REST API endpoints for every subsequent request for the lifetime of the Node.js process, effectively granting unauthenticated access to protected data and operations across the entire application. HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment upstream publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Node.js images that bundle ApostropheCMS at an affected version. Any image containing apostrophe at or below 4.30.0 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 9.1 CRITICAL using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine escalation priority. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated version of apostrophe is released. For customers with auto-remediation enabled, the rebuild, regression run, and pull request against affected workloads will be initiated without manual intervention as soon as the fix version is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable apos.util.set() code path is exposed over the network via ApostropheCMS REST API endpoints, so the attacker must be able to reach the service over the network.

  • AuthenticationRequired

    A low-privilege editor account is sufficient; the attacker does not need administrative credentials to submit the malicious patch operator payload.

  • Victim interactionNot required

    No victim action is needed; the attacker submits the crafted request directly and the prototype pollution takes effect immediately in the Node.js process.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental preconditions beyond network access and a valid low-privilege account.

Blast Radius

  • Reads any data returned by piece-type REST API endpoints that were previously protected by authorization checks, including content, user records, and configuration exposed through those endpoints.
  • Bypasses authorization for all subsequent unauthenticated requests to piece-type REST API endpoints for the lifetime of the running Node.js process, meaning the window of exposure persists until the process is restarted.
  • Allows modification of piece-type resources via unauthenticated REST API calls if write endpoints are covered by the bypassed authorization checks.
  • Degrades integrity of access controls process-wide, meaning other authenticated workflows that rely on the same authorization mechanism may also be affected.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for this CVE as of publication, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment apostrophe publishes a fix. For customers with auto-remediation enabled, the full flow (rebuild, regression test, and PR opened against affected workloads) will execute without manual steps. While awaiting an upstream fix, compensating controls worth considering include applying network-policy rules that restrict which clients can reach ApostropheCMS REST API endpoints, isolating the CMS process behind an API gateway that enforces authentication independently, and disabling or gating piece-type REST API endpoints that are not required for current workloads. HarborGuard will surface the advisory status update and rebuild availability as soon as upstream ships.

See how HarborGuard automates this
Affected packages
  • apostrophecms / apostrophe
    <= 4.30.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
References