Skip to main content

Strapi EUVDEUVD-2026-40234

| CVE-2026-57997 MEDIUM
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
2026-06-29 VulnCheck GHSA-93c7-w42j-xh4p
6.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.8 MEDIUM

Network vector with high complexity captures jwtSecret prerequisite; no Strapi privileges needed; limited confidentiality and integrity impact from auth bypass; no availability or scope change.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 21:51 vuln.today

DescriptionCVE.org

Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass algorithm restrictions and weaken authentication controls.

AnalysisAI

JWT algorithm confusion in Strapi's users-permissions plugin enables authentication control weakening when the plugin::users-permissions.jwt.algorithm setting is absent from configuration. The plugin silently accepts HS384 and HS512 tokens alongside the intended HS256, allowing an attacker who has already obtained the jwtSecret to mint tokens using non-standard HMAC variants and bypass any algorithm-enforcement logic. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain jwtSecret via config leak or secrets exposure
Delivery
Craft JWT using HS384 or HS512 algorithm header
Exploit
Sign token with known jwtSecret
Execution
Submit forged token to Strapi API endpoint
Impact
Gain unauthorized authenticated session as target user

Vulnerability AssessmentAI

Exploitation Exploitation unconditionally requires that the attacker already possesses the Strapi jwtSecret value - this is the hard prerequisite with no known bypass. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 with AV:N/AC:H/AT:P/PR:N/UI:N appropriately characterizes this as a medium-severity, technically constrained issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained Strapi's jwtSecret - through a misconfigured deployment leaking environment variables, a committed .env file, or infrastructure compromise - crafts a JWT with an HS384 or HS512 algorithm header and signs it with the known secret. Submitting this non-standard token to the Strapi API succeeds because the unconfigured users-permissions plugin accepts any valid HMAC variant, granting the attacker an authenticated session as an arbitrary user including administrators. …
Remediation An upstream fix is available via GitHub pull request #26752 at https://github.com/strapi/strapi/pull/26752; however, a formally tagged patched release version is not independently confirmed from the available input data - operators should monitor the Strapi releases page at https://github.com/strapi/strapi for the corresponding versioned release and upgrade promptly once available. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Strapi

View all
CVE-2023-38507 CRITICAL POC
9.8 Sep 15

Strapi is the an open-source headless content management system. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2022-27263 CRITICAL POC
9.8 Apr 12

An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary

CVE-2019-18818 CRITICAL POC
9.8 Nov 07

strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/s

CVE-2022-32114 HIGH POC
8.8 Jul 13

An unrestricted file upload vulnerability in the Add New Assets function of Strapi 4.1.12 allows attackers to conduct XS

CVE-2022-31367 HIGH POC
8.8 Sep 27

Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses. Rated high severity

CVE-2024-37818 HIGH POC
8.6 Jun 20

Strapi v4.24.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /strapi.io/_next/image.

CVE-2024-34065 HIGH POC
8.1 Jun 12

Strapi is an open-source content management system. Rated high severity (CVSS 8.1), this vulnerability is remotely explo

CVE-2021-28128 HIGH POC
8.1 May 06

In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password

CVE-2023-39345 HIGH POC
7.5 Nov 06

strapi is an open-source headless CMS. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no au

CVE-2023-34235 HIGH POC
7.5 Jul 25

Strapi is an open-source headless content management system. Rated high severity (CVSS 7.5), this vulnerability is remot

CVE-2023-22893 HIGH POC
7.5 Apr 19

Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login pro

CVE-2023-22621 HIGH POC
7.2 Apr 19

Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitra

Share

EUVD-2026-40234 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy