CVE-2026-33326 @keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany

Keystone is a content management system for Node.js. Prior to version 6.5.2, field.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 field-level isFilterab...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure when applying isFilterable to sensitive data. By adding malicious uniqueness filters to the where clause of an update or delete operation, a user can infer the presence of specific values in records the user does no...

GHSA-CGCG-Q9JH-5PR2 @keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany (CVE-2025-46720 incomplete fix)

Summary field.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 field-level isFilterable bypass for update and delete mutations added checks to the where...

@beemstream/keystone-document-gallery (>=2.0.0 <=2.0.6), @murz/keystone-field-nested-set (=4.0.1-1) +7 more potentially affected by CVE-2023-40027 via @keystone-6/core (>=1.1.1 <=5.2.0)

@keystone-6/core NPM version =1.1.1, =2.0.0, =2.1.0, =1.0.0, =6.0.21, =0.0.1, =1.0.0, =0.0.1, =0.1.0, =0.2.0 Source cves: CVE-2023-40027 Source advisory: OSV:GHSA-9CVC-V7WM-992C...

PT-2023-27221 · Unknown · @Keystone-6/Core

Name of the Vulnerable Software and Affected Versions: @keystone-6/core versions prior to 5.5.1 Description: The issue arises when ui.isAccessAllowed is set as undefined, making the adminMeta GraphQL query publicly accessible without requiring a session. This behavior differs from the default...

PT-2023-24771 · Unknown · @Keystone-6/Auth

Name of the Vulnerable Software and Affected Versions: @keystone-6/auth versions 7.0.0 and prior Description: Keystone is a content management system for Node.JS. There is an open redirect in the @keystone-6/auth package, where the redirect leading / filter can be bypassed. Users may be redirecte...

PT-2023-32980 · Cuid +1 · Cuid +2

Name of the Vulnerable Software and Affected Versions: @keystone-6/ versions affected versions not specified Description: The cuid package is deprecated and marked as insecure by its author due to security concerns. It is recommended to use @paralleldrive/cuid2 instead. The issue affects...

PT-2022-24899 · Unknown · @Keystone-6/Core

Name of the Vulnerable Software and Affected Versions: @keystone-6/core versions 2.2.0 through 2.3.0 Description: The issue affects users of the multiselect field in @keystone-6/core who have configured field-level access control. The field-level access control is not being used, making the data...