CVE-2026-27886 - Vulnerability Details

- Strapi may leak sensitive data via relational filtering due to lack of query sanitization

Description

Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the `where` query parameter on any publicly-accessible content-type with an `updatedBy` (or other admin-relation) field to perform a boolean-oracle attack against private fields on the joined `admin_users` table, including the `resetPasswordToken` field. Extracting an admin reset token via this oracle made full administrative account takeover possible without authentication. When a filter such as `where[updatedBy][resetPasswordToken][$startsWith]=a` was applied to a public Content API endpoint, the underlying query generation performed a `LEFT JOIN` against the `admin_users` table and emitted a `WHERE` clause referencing the joined column. The query parameter sanitization layer did not block operator chains that traversed into relational target schemas the caller had no read permission on, allowing the response count to be used as a one-bit oracle on any admin-table field. The patch in version 5.37.0 introduces explicit query-parameter sanitization at the controller and service boundary via three new primitives: `strictParam`, `addQueryParams`, and `addBodyParams`. Operator chains that traverse into restricted relational targets are now rejected before reaching the database.

Published: 2026-05-14

Score: 9.2 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Strapi’s query processor failed to sanitize relational filter parameters, allowing an attacker to forge a request to a public Content API endpoint containing a "where" clause that traverses a relationship to an admin table. By crafting boolean operators on hidden fields such as "resetPasswordToken", the attacker can reveal whether a particular token value exists. This Boolean oracle can be exploited to extract an admin reset token, which in turn enables the attacker to perform a full administrative account takeover without any credentials. The flaw is a classic example of information exposure (CWE‑200) and path traversal into restricted relational data (CWE‑22, CWE‑943).

Affected Systems

The vulnerability exists in Strapi versions from 4.0.0 up to, but not including, 5.37.0. Any installation of these releases that exposes a public content type with an "updatedBy" or similar admin-relation field is jeopardised.

Risk and Exploitability

The CVSS score is 9.2, indicating critical severity. While the EPSS score is not available, the absence of authentication on the affected endpoints makes the attack vector trivial for an attacker who can reach the public API. The flaw is not currently listed in CISA KEV, but its exploitation would have severe consequences. Attackers can trigger the Boolean oracle by sending simple GET requests and interpreting response counts, making the vulnerability highly exploitable in practice.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

strapi

affected

Version	Status	Constraints
`>= 4.0.0, < 5.37.0`	affected	—

No data.

Vendor Product Confidence Versions

Strapi

100%

Version	Status	Scheme	Platform
`[4.0.0,5.37.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Strapi to version 5.37.0 or later to receive the update-parameter sanitization primitives that reject illegitimate relational filter chains before reaching the database.
If an upgrade cannot be performed immediately, disable public read access to all content types that contain admin-relation fields, or remove those fields from public schemas altogether.
Implement a temporary request filter that blocks any `where` clause referencing the `admin_users` table until the patch is applied.

Generated by OpenCVE AI on May 14, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-rjg2-95x7-8qmx	Strapi may leak sensitive data via relational filtering due to lack of query sanitization

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00122.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/strapi/strapi/security/advisories/GHSA-rjg2-95x7-8qmx

History

Thu, 14 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Strapi Strapi strapi
Vendors & Products		Strapi Strapi strapi

Thu, 14 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the `where` query parameter on any publicly-accessible content-type with an `updatedBy` (or other admin-relation) field to perform a boolean-oracle attack against private fields on the joined `admin_users` table, including the `resetPasswordToken` field. Extracting an admin reset token via this oracle made full administrative account takeover possible without authentication. When a filter such as `where[updatedBy][resetPasswordToken][$startsWith]=a` was applied to a public Content API endpoint, the underlying query generation performed a `LEFT JOIN` against the `admin_users` table and emitted a `WHERE` clause referencing the joined column. The query parameter sanitization layer did not block operator chains that traversed into relational target schemas the caller had no read permission on, allowing the response count to be used as a one-bit oracle on any admin-table field. The patch in version 5.37.0 introduces explicit query-parameter sanitization at the controller and service boundary via three new primitives: `strictParam`, `addQueryParams`, and `addBodyParams`. Operator chains that traverse into restricted relational targets are now rejected before reaching the database.
Title		Strapi may leak sensitive data via relational filtering due to lack of query sanitization
Weaknesses		CWE-200 CWE-22 CWE-943
References		https://github.com/strapi/strapi/security/advisories/GHSA-rjg2-95x7-8qmx
Metrics		cvssV4_0 `{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}`

Subscriptions

Strapi Strapi

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-14T18:43:04.844Z

Updated: 2026-05-14T19:50:58.218Z

Reserved: 2026-02-24T15:19:29.716Z

Link: CVE-2026-27886

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-14T19:16:31.580

Modified: 2026-05-14T21:23:28.673

Link: CVE-2026-27886

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T21:00:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object