CVE-2026-33326 in keystone
Summary
by MITRE • 03/24/2026
Keystone is a content management system for Node.js. Prior to version 6.5.2, {field}.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 (field-level isFilterable bypass for update and delete mutations) added checks to the where parameter in update and delete mutations however the cursor parameter in findMany was not patched and accepts the same UniqueWhere input type. This issue has been patched in version 6.5.2.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/06/2026
The vulnerability described in CVE-2026-33326 affects Keystone, a popular Node.js content management system that provides a GraphQL-based API for managing content. This issue represents a critical access control bypass that specifically targets field-level permissions within the findMany query functionality. The vulnerability exists in versions prior to 6.5.2 and stems from an incomplete security patch for a related issue CVE-2025-46720. The core problem lies in the inconsistent application of access control checks across different query types within the same system. While the previous patch successfully addressed similar bypass opportunities in update and delete mutations, it failed to extend the same protections to the cursor parameter used in findMany queries.
The technical flaw manifests when attackers exploit the cursor parameter in findMany operations to bypass field-level isFilterable access controls. This parameter accepts the same UniqueWhere input type that was previously patched for update and delete operations, creating a persistent vulnerability vector. The cursor parameter essentially allows attackers to traverse through query results in a paginated manner while still maintaining access to protected field values that should normally be restricted. This creates a scenario where malicious actors can determine the existence of specific records by their protected field values without proper authorization, effectively leaking information about the database content.
The operational impact of this vulnerability extends beyond simple information disclosure. Attackers can leverage this bypass to perform reconnaissance activities, mapping out database structures and identifying sensitive records that should remain hidden. This capability directly violates fundamental security principles of least privilege and data isolation that are essential for maintaining the integrity of content management systems. The vulnerability enables attackers to confirm the existence of records based on protected field values, which can be particularly damaging in systems handling sensitive user data, proprietary content, or confidential business information. This type of information leakage can facilitate more sophisticated attacks and provides attackers with valuable intelligence for subsequent exploitation attempts.
The vulnerability aligns with CWE-284, which describes improper access control in software systems, and demonstrates how incomplete security patches can create persistent risks. From an ATT&CK framework perspective, this vulnerability maps to T1087.001 (Account Discovery) and T1566.001 (Phishing) as attackers can use the information leakage to identify valuable targets and craft more effective social engineering campaigns. The fix implemented in version 6.5.2 addresses this by ensuring that the cursor parameter in findMany queries receives the same access control validation as other query types, thereby maintaining consistent security boundaries across all operations within the system. Organizations using Keystone should immediately upgrade to version 6.5.2 or later to remediate this vulnerability and ensure that all query parameters properly enforce field-level access controls.