Description
Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an `email` field (`/auth/local`, `/auth/reset-password`, `/auth/change-password`). An unauthenticated attacker could include an arbitrary `email` value in the request body to obtain a fresh rate-limit key per request, effectively bypassing per-IP throttling on those routes and enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attempts. The rate-limit key was constructed as `${userIdentifier}:${requestPath}:${ctx.request.ip}`, where `userIdentifier = ctx.request.body.email`. On routes that legitimately use email as their identifier (e.g. `/auth/forgot-password`, `/auth/local/register`), this scoping is correct. On routes that use a different identifier (`identifier` for login, `code` for password reset, `currentPassword` for password change), the email field was not part of the route contract, but the middleware still incorporated it into the key, allowing a caller to rotate the value and obtain a unique key on every request. The patch in version 5.45.0 maintains an allow-list of routes that legitimately key on the email field and excludes that key component on every other route the middleware is mounted on. OAuth callback paths (`/connect/*`) are treated identifier-less. On routes outside the allow-list, the middleware now falls back to a fixed identifier-less key, ensuring per-IP throttling remains effective even when the request body is attacker-controlled.
Published: 2026-05-14
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Strapi’s users‑permissions plugin imposed rate limits on authentication endpoints by including the email field from the request body in the rate‑limit key. Because the key was constructed even on endpoints that do not accept an email, an unauthenticated sender could supply a unique email per request. This would produce a new key for each call, effectively negating per‑IP throttling and allowing the attacker to perform credential brute‑force, password‑reset code abuse, or credential‑stuffing against the CMS.

Affected Systems

Affected are installations of Strapi, specifically the strapi plugin‑users‑permissions component, running any version earlier than 5.45.0. Users of Strapi v5.44.x or older may be subject to the bypass on routes such as /auth/local, /auth/reset‑password, and /auth/change‑password.

Risk and Exploitability

With a CVSS base score of 6.9, the vulnerability presents moderate severity. The absence of an EPSS rating indicates no publicly observed exploitation yet, but the lack of a KEV listing does not eliminate the threat. An attacker can exploit the flaw by sending specially crafted POST requests that include a unique email address to the targeted authentication endpoints, thereby resetting the rate‑limit key on each attempt. If the CMS is exposed to the public internet, the ability to bypass throttling may result in successful credential attacks, elevating the likelihood of data compromise.

Generated by OpenCVE AI on May 14, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Strapi to version 5.45.0 or later, which removes the email component from the rate‑limit key for routes that do not use it.
  • If an immediate upgrade is not possible, modify the rate‑limit middleware to use a fixed identifier‑less key or an allow‑list for protected routes.
  • Deploy application firewall rules to enforce a maximum number of authentication attempts per IP and alert on repeated failures.

Generated by OpenCVE AI on May 14, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7mqx-wwh4-f9fw Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying
History

Sat, 16 May 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Strapi
Strapi strapi
CPEs cpe:2.3:a:strapi:strapi:*:*:*:*:*:node.js:*:*
Vendors & Products Strapi
Strapi strapi
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Sat, 16 May 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an `email` field (`/auth/local`, `/auth/reset-password`, `/auth/change-password`). An unauthenticated attacker could include an arbitrary `email` value in the request body to obtain a fresh rate-limit key per request, effectively bypassing per-IP throttling on those routes and enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attempts. The rate-limit key was constructed as `${userIdentifier}:${requestPath}:${ctx.request.ip}`, where `userIdentifier = ctx.request.body.email`. On routes that legitimately use email as their identifier (e.g. `/auth/forgot-password`, `/auth/local/register`), this scoping is correct. On routes that use a different identifier (`identifier` for login, `code` for password reset, `currentPassword` for password change), the email field was not part of the route contract, but the middleware still incorporated it into the key, allowing a caller to rotate the value and obtain a unique key on every request. The patch in version 5.45.0 maintains an allow-list of routes that legitimately key on the email field and excludes that key component on every other route the middleware is mounted on. OAuth callback paths (`/connect/*`) are treated identifier-less. On routes outside the allow-list, the middleware now falls back to a fixed identifier-less key, ensuring per-IP throttling remains effective even when the request body is attacker-controlled.
Title Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying
Weaknesses CWE-307
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Strapi Strapi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-16T00:49:25.996Z

Reserved: 2025-11-05T21:15:39.401Z

Link: CVE-2025-64526

cve-icon Vulnrichment

Updated: 2026-05-16T00:48:29.981Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T19:16:29.233

Modified: 2026-05-16T03:30:44.237

Link: CVE-2025-64526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:30:04Z

Weaknesses