Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector with high complexity captures jwtSecret prerequisite; no Strapi privileges needed; limited confidentiality and integrity impact from auth bypass; no availability or scope change.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass algorithm restrictions and weaken authentication controls.
AnalysisAI
JWT algorithm confusion in Strapi's users-permissions plugin enables authentication control weakening when the plugin::users-permissions.jwt.algorithm setting is absent from configuration. The plugin silently accepts HS384 and HS512 tokens alongside the intended HS256, allowing an attacker who has already obtained the jwtSecret to mint tokens using non-standard HMAC variants and bypass any algorithm-enforcement logic. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation unconditionally requires that the attacker already possesses the Strapi jwtSecret value - this is the hard prerequisite with no known bypass. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.3 with AV:N/AC:H/AT:P/PR:N/UI:N appropriately characterizes this as a medium-severity, technically constrained issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained Strapi's jwtSecret - through a misconfigured deployment leaking environment variables, a committed .env file, or infrastructure compromise - crafts a JWT with an HS384 or HS512 algorithm header and signs it with the known secret. Submitting this non-standard token to the Strapi API succeeds because the unconfigured users-permissions plugin accepts any valid HMAC variant, granting the attacker an authenticated session as an arbitrary user including administrators. … |
| Remediation | An upstream fix is available via GitHub pull request #26752 at https://github.com/strapi/strapi/pull/26752; however, a formally tagged patched release version is not independently confirmed from the available input data - operators should monitor the Strapi releases page at https://github.com/strapi/strapi for the corresponding versioned release and upgrade promptly once available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Strapi is the an open-source headless content management system. Rated critical severity (CVSS 9.8), this vulnerability
An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary
strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/s
An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XS
Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses. Rated high severity
Strapi v4.24.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /strapi.io/_next/image.
Strapi is an open-source content management system. Rated high severity (CVSS 8.1), this vulnerability is remotely explo
In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password
strapi is an open-source headless CMS. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au
Strapi is an open-source headless content management system. Rated high severity (CVSS 7.5), this vulnerability is remot
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login pro
Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitra
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40234
GHSA-93c7-w42j-xh4p