Skip to content

KeystoneJS

v2026-03-19 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 2mo Developer Productivity
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

cms cms-framework graphql keystonejs nodejs react

Summary

AI summary

Fixed CVE-2026-33326 – bypass of isFilterable access control in findMany queries via the cursor parameter.

Full changelog

The following packages have been updated

@keystone-6/[email protected]

Bug Fixes

  • [core] Fix isFilterable bypass via cursor parameter in findMany query (#9790) @n0wsh

:rotating_light: Security Updates

We have identified and fixed 1 security vulnerability

  • CVE-2026-33326 - {field}.isFilterable access control could be bypassed in findMany queries by passing a cursor. This could be used to confirm the existence of records by protected field values.

:eyes: Review

See https://github.com/keystonejs/keystone/compare/2025-05-06...2026-03-19 to compare with our previous release.

Security Fixes

  • CVE-2026-33326 — {field}.isFilterable access control could be bypassed in `findMany` queries by passing a `cursor`, allowing existence confirmation of protected records.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track KeystoneJS

Get notified when new releases ship.

Sign up free

About KeystoneJS

CMS and web application platform.

All releases →

Related context

Beta — feedback welcome: [email protected]