Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 4 npm packages depend on @strapi/admin (3 direct, 1 indirect)
Ecosystem-wide dependent count for version 5.33.3.
DescriptionGitHub Advisory
Summary of CVE-2026-22706 Vulnerability Details
- CVE: CVE-2026-22706
- CVSS v3.1 Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N(2.1 - Low) - Affected Versions:
@strapi/adminand@strapi/plugin-users-permissions<=5.33.2 - How to Patch: Immediately update your Strapi to >=5.33.3
Description of CVE-2026-22706
In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication controllers was conditional on a caller-supplied deviceId. When a password change or reset request did not include a deviceId, no refresh tokens were revoked, leaving every prior session active.
An attacker who had previously obtained a refresh token could continue minting new access tokens after the legitimate user reset their password, allowing persistent unauthorized access for the lifetime of the refresh token (up to 30 days by default). Rotating credentials no longer terminated an active attacker session, defeating password reset as a containment measure.
The patch invalidates all refresh tokens associated with the user on every password change and password reset, regardless of whether a deviceId is supplied. A new device-scoped session is then issued to the caller as part of the response.
IoC's for CVE-2026-22706
Indicators that an instance running an unpatched version may have been exploited:
- Successful
POST /api/auth/refreshorPOST /admin/access-tokenrequests using a refresh token issued before the user's most recent password change. Reviewable by correlating refresh-tokeniatclaims against password-change events in audit logs - New access-token issuances for a user whose password was reset within the past 30 days, originating from an IP or User-Agent that did not perform the reset
- Multiple active refresh tokens for a single user across distinct IPs after a password reset event
- Database query: rows in
strapi_sessionwithcreated_atearlier than the user's most recent password-reset timestamp andstatus = 'active'
References
- OWASP ASVS 4.0 - V2.1.1: Session invalidation on credential change
- OWASP Top 10 - A2: Broken Authentication
Credits
- bugbunny.ai
- AndyAnh174 (concurrent report, 2026-04-09 - originally filed as GHSA-c6gj-8rxm-jrf2, closed as duplicate)
- Aastha2602 (concurrent report, 2026-03-10 - originally filed as GHSA-5qvg-4jch-gvf4, closed as duplicate)
AnalysisAI
Insufficient session expiration in Strapi versions prior to 5.33.3 allows an authenticated attacker who has previously obtained a valid refresh token to maintain persistent unauthorized access even after the account owner resets their password. Both the admin panel (@strapi/admin) and the API-facing users-permissions plugin (@strapi/plugin-users-permissions) are affected, covering all Strapi deployments up to and including 5.33.2. Because the refresh-token invalidation logic was gated on a caller-supplied deviceId parameter, a password reset without that parameter left all prior refresh sessions alive - meaning credential rotation failed to evict an attacker for up to 30 days by default. No public exploit has been identified at time of analysis, and SSVC confirms exploitation status as none.
Technical ContextAI
Strapi is a Node.js headless CMS distributed as npm packages. The vulnerability resides in two authentication controllers: the admin panel controller in @strapi/admin and the end-user controller in @strapi/plugin-users-permissions (both pkg:npm). CWE-613 (Insufficient Session Expiration) applies directly: the system issues long-lived refresh tokens (default 30-day lifetime) but the server-side invalidation logic for those tokens was predicated on the presence of a deviceId field in the password-change or password-reset request body. When a client omitted deviceId - which is the common case for programmatic or automated password resets - the revocation step was silently skipped, leaving all previously issued refresh tokens active in the strapi_session store. The patch unconditionally invalidates every refresh token tied to the target user account on any credential-change event, regardless of deviceId presence, then re-issues a fresh device-scoped session to the caller.
RemediationAI
Upgrade both @strapi/admin and @strapi/plugin-users-permissions to version 5.33.3 or later; this is the vendor-released patch confirmed by GHSA-hvp3-26wx-g2w4 (https://github.com/strapi/strapi/security/advisories/GHSA-hvp3-26wx-g2w4). If immediate upgrade is not feasible, administrators should manually audit the strapi_session table and revoke any rows with created_at earlier than the most recent password-reset timestamp for each user (status = 'active'), particularly for accounts that have undergone a recent password change in response to a suspected compromise. Additionally, consider reducing the refresh-token lifetime from the 30-day default to a shorter window to limit attacker dwell time in the interim. Note that reducing token lifetime will cause more frequent re-authentication prompts for legitimate users. There is no configuration toggle to enforce unconditional session invalidation on password reset without applying the 5.33.3 patch.
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30355
GHSA-hvp3-26wx-g2w4