FKIE_CVE-2026-33326

Vulnerability from fkie_nvd - Published: 2026-03-24 20:16 - Updated: 2026-03-25 15:41
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Keystone is a content management system for Node.js. Prior to version 6.5.2, {field}.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 (field-level isFilterable bypass for update and delete mutations) added checks to the where parameter in update and delete mutations however the cursor parameter in findMany was not patched and accepts the same UniqueWhere input type. This issue has been patched in version 6.5.2.
References
security-advisories@github.comhttps://github.com/keystonejs/keystone/security/advisories/GHSA-cgcg-q9jh-5pr2
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Keystone is a content management system for Node.js. Prior to version 6.5.2, {field}.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 (field-level isFilterable bypass for update and delete mutations) added checks to the where parameter in update and delete mutations however the cursor parameter in findMany was not patched and accepts the same UniqueWhere input type. This issue has been patched in version 6.5.2."
    },
    {
      "lang": "es",
      "value": "Keystone es un sistema de gesti\u00f3n de contenido para Node.js. Antes de la versi\u00f3n 6.5.2, el control de acceso {field}.isFilterable puede ser eludido en consultas findMany al pasar un cursor. Esto puede usarse para confirmar la existencia de registros mediante valores de campos protegidos. La correcci\u00f3n para CVE-2025-46720 (elusi\u00f3n de isFilterable a nivel de campo para mutaciones de actualizaci\u00f3n y eliminaci\u00f3n) a\u00f1adi\u00f3 comprobaciones al par\u00e1metro where en las mutaciones de actualizaci\u00f3n y eliminaci\u00f3n; sin embargo, el par\u00e1metro cursor en findMany no fue parcheado y acepta el mismo tipo de entrada UniqueWhere. Este problema ha sido parcheado en la versi\u00f3n 6.5.2."
    }
  ],
  "id": "CVE-2026-33326",
  "lastModified": "2026-03-25T15:41:58.280",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-24T20:16:28.043",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-cgcg-q9jh-5pr2"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.