What is CVE-2023-40027?

CVE-2023-40027 is a low-severity vulnerability in Keystonejs Keystone, classified under Missing Authorization. CVSS score: 3.7/10. Published 2023-08-15.

How severe is CVE-2023-40027?

Low severity. CVSS v3 base score is 3.7 out of 10.

Auth bypass in Keystonejs Keystone

CVE-2023-40027

Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When `ui.isAccessAllowed` is set as `undefined`, the `adminMeta` GraphQL query is publicly accessible (no session required). This is different to the behav…

Vulnerability class: Broken Access Control

EPSS: 0.003 (55.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.7 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N.

Affected products

Keystonejs Keystone — versions < 5.5.1

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c (x_refsource_CONFIRM)
https://github.com/keystonejs/keystone/pull/8771 (x_refsource_MISC)
https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284 (x_refsource_MISC)

Frequently asked questions

What is CVE-2023-40027?: CVE-2023-40027 is a low-severity vulnerability in Keystonejs Keystone, classified under Missing Authorization. CVSS score: 3.7/10. Published 2023-08-15.
How severe is CVE-2023-40027?: Low severity. CVSS v3 base score is 3.7 out of 10.