CVE-2023-40027

Summary

CVE-2023-40027 affects Keystone, an open-source headless CMS for Node.js. When the `ui.isAccessAllowed` setting is undefined, the `adminMeta` GraphQL query becomes publicly accessible, bypassing the expected session requirement. This deviates from the behavior of the default AdminUI middleware, which only publicly exposes `adminMeta` without a session if a `session` strategy is not defined. This vulnerability does not impact users of `@keystone-6/auth` or those with custom `ui.isAccessAllowed` implementations. However, users relying on the default session strategy to secure `adminMeta` are potentially affected. A patch has been released in `@keystone-6/core` version 5.5.1, and users are strongly advised to upgrade. Those unable to do so may consider implementing custom `isAccessAllowed` logic to mitigate the risk.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.