Keystone Content Management System Access Control Bypass Vulnerability in FindMany Queries

An access control bypass vulnerability has been identified in Keystone, a Node.js content management system, prior to version 6.5.2. The issue arises in 'findMany' queries, where '{field}.isFilterable' access control can be circumvented by using a cursor. This exploitation allows confirmation of record existence based on protected field values. Although the update and delete mutations were patched to address a similar vulnerability (CVE-2025-46720), the 'findMany' cursor parameter remained vulnerable, accepting the same 'UniqueWhere' input type.

Impact

Exploitation of this vulnerability allows bypassing of the 'isFilterable' access control, enabling external users to use field filtering as a discovery tool. This issue affects any project that relies on 'isFilterable' to protect sensitive field values, but does not impact projects that have disabled filtering for those fields or omitted them from the GraphQL schema.

Remediation

Users can upgrade to Keystone version 6.5.2 or later to address this vulnerability. In projects using an older version where an upgrade is not possible, relevant fields can be set to '{field}.isFilterable: false' or '{field}.graphql.omit.read: true' to mitigate the issue.