Skip to main content

Strapi EUVDEUVD-2026-30366

| CVE-2026-27886 CRITICAL
Path Traversal (CWE-22)
2026-05-14 https://github.com/strapi/strapi GHSA-rjg2-95x7-8qmx
9.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch available
May 14, 2026 - 20:17 EUVD
Analysis Updated
May 14, 2026 - 19:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 14, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
May 14, 2026 - 19:22 NVD
9.2 (CRITICAL)
Source Code Evidence Fetched
May 14, 2026 - 14:02 vuln.today
Analysis Generated
May 14, 2026 - 14:02 vuln.today
CVE Published
May 14, 2026 - 13:17 nvd
CRITICAL

DescriptionGitHub Advisory

Summary of CVE-2026-27886 Vulnerability Details

  • CVE: CVE-2026-27886
  • CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N (9.3 - Critical)
  • Affected Versions: @strapi/strapi <=5.36.1
  • How to Patch: Immediately update your Strapi to >=5.37.0

Description of CVE-2026-27886

Strapi versions prior to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the where query parameter on any publicly-accessible content-type with an updatedBy (or other admin-relation) field to perform a boolean-oracle attack against private fields on the joined admin_users table, including the resetPasswordToken field. Extracting an admin reset token via this oracle made full administrative account takeover possible without authentication.

When a filter such as where[updatedBy][resetPasswordToken][$startsWith]=a was applied to a public Content API endpoint, the underlying query generation performed a LEFT JOIN against the admin_users table and emitted a WHERE clause referencing the joined column. The query parameter sanitization layer did not block operator chains that traversed into relational target schemas the caller had no read permission on, allowing the response count to be used as a one-bit oracle on any admin-table field.

The patch introduces explicit query-parameter sanitization at the controller and service boundary via three new primitives: strictParam, addQueryParams, and addBodyParams. Operator chains that traverse into restricted relational targets are now rejected before reaching the database.

IoC's for CVE-2026-27886

Indicators that an instance running an unpatched version may have been exploited:

  • Server access logs containing query strings traversing into admin-relation private fields. Regex: \?(.*&)?where\[(updatedBy|createdBy|publishedBy)\]\[(email|password|resetPasswordToken|confirmationToken|firstname|lastname|preferedLanguage)\]\[\$(startsWith|contains|eq|gt|lt|ge|le|in|notIn|notNull|null)\]=
  • High volume of public Content API requests from a single IP iterating through a hex alphabet (0-9, a-f) on the same content-type endpoint with progressively-longer filter values
  • Subsequent POST /admin/reset-password calls using a reset token that the legitimate admin did not request
  • Successful admin password change immediately following a burst of public Content API requests with where[updatedBy] query parameters
  • Sustained burst of identical-shape requests with only the trailing character of the filter value varying

Credit

Discovered by: James Doll - WildWest CyberSecurity Contact: cve+2026-27886@wildwestcyber.com Website: https://wildwestcyber.com LinkedIn: https://www.linkedin.com/in/james-doll-273a61243

AnalysisAI

Boolean-oracle information disclosure in Strapi Content API allows remote unauthenticated attackers to extract admin password-reset tokens and achieve full administrative account takeover. Strapi versions 4.0.0 through 5.36.1 fail to sanitize relational query parameters on public content-type endpoints. By crafting where filters that traverse into joined admin_users table columns (e.g., where[updatedBy][resetPasswordToken][$startsWith]=a), attackers perform character-by-character oracle attacks against private admin fields, then use the extracted reset token to hijack administrator accounts. WildWest CyberSecurity reports this critical vulnerability with CVSS 9.3, affecting all Strapi deployments with public content-types containing admin-relation fields (updatedBy, createdBy, publishedBy). Vendor-released patch available in version 5.37.0. No active exploitation or public POC identified at time of analysis.

Technical ContextAI

Strapi is a popular open-source headless CMS built on Node.js. This vulnerability exploits the interaction between Strapi's Content API query filtering system and its ORM layer (typically Knex.js). When public content-type endpoints expose relational fields like updatedBy (a foreign key to the admin_users table), the ORM generates SQL queries with LEFT JOIN clauses to allow filtering by related entity properties. The flaw lies in insufficient authorization enforcement at the query parameter sanitization boundary-specifically, the framework did not validate that the caller possessed read permission on the joined table's schema before allowing WHERE clauses to reference its columns. The where[relation][private_field][$operator]=value parameter chain triggers a database query that joins the restricted admin_users table and applies a filter on sensitive columns like resetPasswordToken, password, or email. Although the API never returns the field values directly, the COUNT or presence/absence of matching records in the response acts as a one-bit oracle. By repeatedly querying with $startsWith operators and incrementing the prefix character-by-character (a classic timing-independent blind boolean attack), an attacker can reconstruct the full value of any admin table field. The patched version introduces three new query sanitization primitives (strictParam, addQueryParams, addBodyParams) that enforce schema-level access control before query construction, rejecting operator chains traversing into restricted relational targets regardless of SQL injection or other injection vectors.

RemediationAI

Upgrade to Strapi version 5.37.0 or later immediately, which introduces query-parameter sanitization primitives that block unauthorized relational traversal. Update via npm: npm install @strapi/strapi@5.37.0 or yarn: yarn upgrade @strapi/strapi@5.37.0, then restart the application. Verify the upgrade with npm list @strapi/strapi. If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Disable public access to all content-type endpoints that include admin-relation fields (updatedBy, createdBy, publishedBy) by requiring authentication-breaks unauthenticated read use cases but eliminates attack vector. (2) Configure WAF or reverse proxy (nginx, Cloudflare) to block query strings matching the IoC regex pattern where\[(updatedBy|createdBy|publishedBy)\]\[ on public routes-may cause false positives if legitimate queries filter by user metadata, requires regex engine performance tuning. (3) Remove updatedBy/createdBy fields from public content-type schemas via Strapi admin panel Content-Type Builder-loses audit trail metadata, impacts workflows relying on authorship tracking. (4) Rate-limit public Content API endpoints to <10 req/min per IP-slows oracle attacks but does not prevent them, impacts legitimate high-traffic use cases. Monitor server logs for the provided IoC regex and alert on ≥100 requests/hour from single IPs with incrementing filter values. None of these mitigations fully prevent exploitation; upgrading is the only complete fix. Vendor advisory at https://github.com/strapi/strapi/security/advisories/GHSA-rjg2-95x7-8qmx.

Share

EUVD-2026-30366 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy