Prototype Pollution Authorization Bypass in ApostropheCMS
CVE-2026-53609 is a prototype pollution vulnerability in ApostropheCMS, an open-source Node.js CMS, affecting versions up to and including 4.30.0. The issue is caused by apos.util.set() traversing attacker-controlled dot-notation paths without sanitizing the special property __proto__. Through the $pullAll patch operator, an authenticated user with editor privileges can write arbitrary properties to Object.prototype. The advisory further identifies a confirmed gadget in publicApiCheck() that consumes polluted prototype properties in a way that bypasses authorization checks. After successful pollution, all subsequent unauthenticated requests to piece-type REST API endpoints can be treated as authorized for the lifetime of the Node.js process.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Object.prototype and trigger a process-wide authorization bypass affecting all piece-type REST API endpoints. Because the polluted prototype persists for the lifetime of the Node.js process, every subsequent unauthenticated request can inherit the bypass condition until the process is restarted. This can expose sensitive content and API functionality to unauthenticated attackers and may permit unauthorized reads and other actions permitted by the affected endpoints. The provided CVSS context indicates high confidentiality impact with low integrity and availability impact.Mitigation
If you can’t patch tonight, do this now.
$pullAll on attacker-controlled paths. Limit creation and use of editor accounts, enforce strong authentication, and monitor for suspicious patch requests containing __proto__ or similar prototype-manipulation keys. If compromise is suspected, restart the Node.js process to clear polluted prototype state, recognizing this is only a temporary recovery step. Where feasible, place affected piece-type REST API endpoints behind additional access controls or temporarily disable public exposure.Remediation
Patch, then assume compromise.
__proto__ in apos.util.set() and any equivalent path-setting logic, and by hardening authorization logic in publicApiCheck() so it does not rely on prototype-inherited properties. Once a vendor patch is released, upgrade to the fixed version immediately.Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.