Adobe Experience Manager Sites & More

avesh_narang · 11/23/25

Hello Everyone,

One of my clients is utilizing AEM Cloud, but our internal team has discovered a critical vulnerability that has not been communicated by the Adobe Cloud team.
Here are the steps to replicate the issue:

Launch a web browser.
Go to the URL: https://<domain>/bin/querybuilder.json;x='x/graphql/execute/json/'? path=/etc&p.hits=full&p.limit=-1
Notice that the endpoint can be accessed without any authentication.
This endpoint can be utilized to explore internal content structures by adjusting the query parameters accordingly.

I would like to know if anyone else has encountered this vulnerability. If so, how was it addressed?

Has Adobe Cloud provided a solution (please include the security patch number or Adobe link), or did your development team handle it?

Please share the details of any solutions that were implemented.

Note : Though I find the blog but need to understand which Adobe Security Patch is linked to it.

muskaanchandwani · 11/28/25

Hello @avesh_narang

Below is a recently published a knowledge‑base article for AEMaaCS that describes the situation similar to yours :

https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27832

That article explains that:
- Requests to /bin/querybuilder.json and /etc/truststore.json can bypass Dispatcher filters when certain characters (like ; / %3B) are present.
- The recommended mitigation is to update the Apache vhost configuration to block those patterns at the web‑server level.

For an AEMaaCS setup:
- Apply the LocationMatch fix described in the KB article in your Dispatcher/Apache configuration.
- Add or verify Dispatcher filter rules that deny /bin/querybuilder.json on publish.
- Review your ACLs so that anonymous users cannot read internal areas like /home, /etc, /apps, etc.

This is also being tracked with Adobe Engineering. If you’re on AEMaaCS and want confirmation for your specific environment, you can also open an Adobe Support ticket so Support can align you with the latest platform-side fixes.

View solution in original post

TarunKumar · 11/25/25

HI @avesh_narang ,

May be you can try authenticating access to the AEM Query Builder and GraphQL endpoints, including the specific URL provided, using following methods:

Session Establishment:

When accessing the /bin/querybuilder.json or GraphQL endpoints directly from within an AEM-managed environment (e.g., from a custom component or backend service), the request typically inherits the existing AEM user session.
Login:

If the request is made from a context without an established AEM session (e.g., from a new browser window or a standalone Java application), the user will likely be redirected to the AEM login page to authenticate with valid credentials.

2. Dispatcher Filters (for AEM Headless deployments):

Allow Rules: In AEM Headless deployments, the Dispatcher plays a crucial role in filtering requests. Configure Dispatcher filters to allow specific URLs and methods for GraphQL endpoints, such as:

/0600 {/type "allow"/method '(POST|OPTIONS)'/url "/graphql/execute.json/*"}

-Tarun

avesh_narang · 11/25/25

Thanks @TarunKumar ,

I see that this could be a possible solution, but there may be additional patterns that could bypass this validation.

Given that dispatcher settings are default when establishing the maven repository and affect all Adobe clients, Adobe might have encountered this issue and could provided a security patch for it.

I would appreciate community assistance in guiding me to the correct security patch, ensuring it is a foolproof solution and endorsed by Adobe.

Thanks

muskaanchandwani · 11/28/25

Hello @avesh_narang

Below is a recently published a knowledge‑base article for AEMaaCS that describes the situation similar to yours :

https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27832

That article explains that:
- Requests to /bin/querybuilder.json and /etc/truststore.json can bypass Dispatcher filters when certain characters (like ; / %3B) are present.
- The recommended mitigation is to update the Apache vhost configuration to block those patterns at the web‑server level.

For an AEMaaCS setup:
- Apply the LocationMatch fix described in the KB article in your Dispatcher/Apache configuration.
- Add or verify Dispatcher filter rules that deny /bin/querybuilder.json on publish.
- Review your ACLs so that anonymous users cannot read internal areas like /home, /etc, /apps, etc.

This is also being tracked with Adobe Engineering. If you’re on AEMaaCS and want confirmation for your specific environment, you can also open an Adobe Support ticket so Support can align you with the latest platform-side fixes.

avesh_narang · 12/3/25

Thanks @muskaanchandwani ,

The article you provided is truly beneficial.

However, since we are using AEMaaCS, I believe we should receive this information as part of the monthly release notes, along with the suggested method to address it.

If this is a reasonable assumption, I an trying to find which release this fix has been included to verify if it has been overlooked on our side.

Thanks!

Adobe Experience Manager Sites & More

AEM Security Vulnerability

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe