Description
Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication controllers was conditional on a caller-supplied `deviceId`. When a password change or reset request did not include a `deviceId`, no refresh tokens were revoked, leaving every prior session active. An attacker who had previously obtained a refresh token could continue minting new access tokens after the legitimate user reset their password, allowing persistent unauthorized access for the lifetime of the refresh token (up to 30 days by default). Rotating credentials no longer terminated an active attacker session, defeating password reset as a containment measure. The patch in version 5.33.3 invalidates all refresh tokens associated with the user on every password change and password reset, regardless of whether a `deviceId` is supplied. A new device-scoped session is then issued to the caller as part of the response.
Published: 2026-05-14
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Strapi versions before 5.33.3 mishandled token revocation during password change or reset, failing to invalidate existing refresh tokens unless a caller supplied a deviceId. This flaw allows an attacker who has already acquired a valid refresh token to keep generating new access tokens even after the legitimate user has reset their password. The result is persistent unauthorized access for the lifetime of the token, up to 30 days by default, representing a serious authentication bypass (CWE-613).

Affected Systems

The affected products are Strapi core, the @strapi/admin and @strapi/plugin-users-permissions modules. All releases older than 5.33.3 are vulnerable; the patch in 5.33.3 and later removes the deviceId requirement and revokes all user tokens on every password change or reset.

Risk and Exploitability

The vulnerability has a low CVSS score of 2.1 and no exploitation probability data is available, and it is not listed in the CISA KEV catalog. Because an attacker must already possess a refresh token to exploit the flaw, the attack involves an initial compromise. Once in possession, however, a password reset will not terminate the session, allowing prolonged unauthorized activity. The lack of a deviceId check means the revocation step never executes, making the issue straightforward to reproduce in affected systems.

Generated by OpenCVE AI on May 14, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Strapi to version 5.33.3 or later to ensure all refresh tokens are revoked automatically on password change or reset.
  • If an upgrade is not immediately possible, manually revoke or rotate all active refresh tokens for users before they reset their password.
  • Modify authentication flows to require a device identifier on all password change or reset requests, ensuring token revocation is triggered even when the caller cannot provide a deviceId.

Generated by OpenCVE AI on May 14, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hvp3-26wx-g2w4 Strapi: Password Reset Does Not Revoke Existing Refresh Sessions
History

Sat, 16 May 2026 03:30:00 +0000

Type Values Removed Values Added
First Time appeared Strapi
Strapi strapi
CPEs cpe:2.3:a:strapi:strapi:*:*:*:*:*:node.js:*:*
Vendors & Products Strapi
Strapi strapi
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication controllers was conditional on a caller-supplied `deviceId`. When a password change or reset request did not include a `deviceId`, no refresh tokens were revoked, leaving every prior session active. An attacker who had previously obtained a refresh token could continue minting new access tokens after the legitimate user reset their password, allowing persistent unauthorized access for the lifetime of the refresh token (up to 30 days by default). Rotating credentials no longer terminated an active attacker session, defeating password reset as a containment measure. The patch in version 5.33.3 invalidates all refresh tokens associated with the user on every password change and password reset, regardless of whether a `deviceId` is supplied. A new device-scoped session is then issued to the caller as part of the response.
Title Strapi: Password Reset Does Not Revoke Existing Refresh Sessions
Weaknesses CWE-613
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Strapi Strapi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T14:52:06.866Z

Reserved: 2026-01-08T19:23:09.857Z

Link: CVE-2026-22706

cve-icon Vulnrichment

Updated: 2026-05-15T14:51:52.256Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T19:16:30.700

Modified: 2026-05-16T03:23:41.797

Link: CVE-2026-22706

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:30:04Z

Weaknesses