ApostropheCMS Bearer Token Authentication Bypass Vulnerability Allowing MFA Bypass

A vulnerability in ApostropheCMS prior to version 4.28.0 allows for multi-factor authentication (MFA) to be bypassed through an incorrect MongoDB query in the bearer token authentication middleware. This flaw enables incomplete login tokens—where the password has been verified but TOTP/MFA requirements have not—to be used as fully authenticated bearer tokens. As a result, deployments using '@apostrophecms/login-totp' or any custom 'afterPasswordVerified' login requirement are affected. The vulnerability arises because the query mistakenly matches tokens with unverified requirements, contrary to its intended purpose.

Impact

Exploitation of this vulnerability allows an attacker who knows a user's password to bypass TOTP verification and gain full authenticated access via the API, using the incomplete token as a bearer token.

Reproduction

To reproduce this vulnerability, authenticate with a valid username and password on an ApostropheCMS instance with '@apostrophecms/login-totp' enabled. After the initial login, an incomplete token will be issued, indicating that TOTP verification is still required. This incomplete token can then be used as a bearer token to access protected resources, bypassing the MFA requirement.

Remediation

Users should update to ApostropheCMS version 4.28.0 or later, where this vulnerability has been fixed.