Skip to main content

Strapi CVE-2026-22706

| EUVDEUVD-2026-30355 LOW
Insufficient Session Expiration (CWE-613)
2026-05-13 https://github.com/strapi/strapi GHSA-hvp3-26wx-g2w4
2.1
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 12:52 vuln.today
Analysis Generated
Jun 08, 2026 - 12:52 vuln.today
CVSS changed
May 14, 2026 - 19:22 NVD
2.1 (LOW)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 npm packages depend on @strapi/admin (3 direct, 1 indirect)

Ecosystem-wide dependent count for version 5.33.3.

DescriptionGitHub Advisory

Summary of CVE-2026-22706 Vulnerability Details

  • CVE: CVE-2026-22706
  • CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N (2.1 - Low)
  • Affected Versions: @strapi/admin and @strapi/plugin-users-permissions <=5.33.2
  • How to Patch: Immediately update your Strapi to >=5.33.3

Description of CVE-2026-22706

In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication controllers was conditional on a caller-supplied deviceId. When a password change or reset request did not include a deviceId, no refresh tokens were revoked, leaving every prior session active.

An attacker who had previously obtained a refresh token could continue minting new access tokens after the legitimate user reset their password, allowing persistent unauthorized access for the lifetime of the refresh token (up to 30 days by default). Rotating credentials no longer terminated an active attacker session, defeating password reset as a containment measure.

The patch invalidates all refresh tokens associated with the user on every password change and password reset, regardless of whether a deviceId is supplied. A new device-scoped session is then issued to the caller as part of the response.

IoC's for CVE-2026-22706

Indicators that an instance running an unpatched version may have been exploited:

  • Successful POST /api/auth/refresh or POST /admin/access-token requests using a refresh token issued before the user's most recent password change. Reviewable by correlating refresh-token iat claims against password-change events in audit logs
  • New access-token issuances for a user whose password was reset within the past 30 days, originating from an IP or User-Agent that did not perform the reset
  • Multiple active refresh tokens for a single user across distinct IPs after a password reset event
  • Database query: rows in strapi_session with created_at earlier than the user's most recent password-reset timestamp and status = 'active'

References

  • OWASP ASVS 4.0 - V2.1.1: Session invalidation on credential change
  • OWASP Top 10 - A2: Broken Authentication

Credits

  • bugbunny.ai
  • AndyAnh174 (concurrent report, 2026-04-09 - originally filed as GHSA-c6gj-8rxm-jrf2, closed as duplicate)
  • Aastha2602 (concurrent report, 2026-03-10 - originally filed as GHSA-5qvg-4jch-gvf4, closed as duplicate)

AnalysisAI

Insufficient session expiration in Strapi versions prior to 5.33.3 allows an authenticated attacker who has previously obtained a valid refresh token to maintain persistent unauthorized access even after the account owner resets their password. Both the admin panel (@strapi/admin) and the API-facing users-permissions plugin (@strapi/plugin-users-permissions) are affected, covering all Strapi deployments up to and including 5.33.2. Because the refresh-token invalidation logic was gated on a caller-supplied deviceId parameter, a password reset without that parameter left all prior refresh sessions alive - meaning credential rotation failed to evict an attacker for up to 30 days by default. No public exploit has been identified at time of analysis, and SSVC confirms exploitation status as none.

Technical ContextAI

Strapi is a Node.js headless CMS distributed as npm packages. The vulnerability resides in two authentication controllers: the admin panel controller in @strapi/admin and the end-user controller in @strapi/plugin-users-permissions (both pkg:npm). CWE-613 (Insufficient Session Expiration) applies directly: the system issues long-lived refresh tokens (default 30-day lifetime) but the server-side invalidation logic for those tokens was predicated on the presence of a deviceId field in the password-change or password-reset request body. When a client omitted deviceId - which is the common case for programmatic or automated password resets - the revocation step was silently skipped, leaving all previously issued refresh tokens active in the strapi_session store. The patch unconditionally invalidates every refresh token tied to the target user account on any credential-change event, regardless of deviceId presence, then re-issues a fresh device-scoped session to the caller.

RemediationAI

Upgrade both @strapi/admin and @strapi/plugin-users-permissions to version 5.33.3 or later; this is the vendor-released patch confirmed by GHSA-hvp3-26wx-g2w4 (https://github.com/strapi/strapi/security/advisories/GHSA-hvp3-26wx-g2w4). If immediate upgrade is not feasible, administrators should manually audit the strapi_session table and revoke any rows with created_at earlier than the most recent password-reset timestamp for each user (status = 'active'), particularly for accounts that have undergone a recent password change in response to a suspected compromise. Additionally, consider reducing the refresh-token lifetime from the 30-day default to a shorter window to limit attacker dwell time in the interim. Note that reducing token lifetime will cause more frequent re-authentication prompts for legitimate users. There is no configuration toggle to enforce unconditional session invalidation on password reset without applying the 5.33.3 patch.

Share

CVE-2026-22706 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy