Do Son 
A pair of severe vulnerabilities discovered in Strapi, the widely used open-source headless Content Management System (CMS), could allow attackers to completely take over administrative accounts without authentication or execute arbitrary database commands.
The security holes, tracked as CVE-2026-22599 and CVE-2026-27886, impact multiple versions of the platform. Because Strapi is commonly relied upon to generate full content APIs for websites, mobile applications, and IoT ecosystems, these vulnerabilities present an immediate threat to organizations hosting unpatched instances. Full details of the attack mechanisms and specific indicators of compromise have been laid out by researchers.
The first critical vulnerability, tracked as CVE-2026-22599 (CVSS 9.3), centers on a database-query injection flaw residing within Strapi’s core Content-Type Builder write API.
When a user defines or alters content models, the platform automatically updates the backend database schema. Researchers discovered that an authenticated administrator could maliciously inject arbitrary database statements into the column.defaultTo attribute during this process.
By passing the default value as a specific tuple string formatted as [value, { isRaw: true }], the backend improperly relayed the input straight into Knex’s underlying db.connection.raw() method without any form of input sanitization.
Because the payload is evaluated directly at the database layer , the ultimate impact depends heavily on the type of database engine connected to Strapi:
- Arbitrary File Read: Attackers can utilize native database utility functions to read files right off the hosting filesystem.
- Denial of Service (DoS): Forcing a migration error can trigger immediate server crashes.
- Remote Code Execution (RCE): On database engines configured to allow external program execution, the exploit can be upgraded to full code execution on the database server.
Strapi has addressed the issue by completely locking down the Content-Type Builder write APIs so that they only function in a development mode environment. Production environments running version 5.33.2 or later will now natively return a 404 Not Found error code for any incoming requests hitting /content-type-builder/content-types, effectively zeroing out the network-accessible attack surface.
The second vulnerability, tracked as CVE-2026-27886 (CVSS 9.2), is a highly dangerous query sanitization failure affecting all Strapi versions between 4.0.0 and 5.36.1. It permits an entirely unauthenticated internet attacker to seize absolute control of the main administrator account.
When public content APIs are filtered using relational fields, Strapi did not adequately sanitize the incoming query parameters. An attacker can abuse the where query parameter on any publicly open endpoint that includes fields tracking admin relationships (such as updatedBy, createdBy, or publishedBy).
By crafting a specific operator chain—such as where[updatedBy][resetPasswordToken][$startsWith]=a—the attacker forces Strapi to execute a LEFT JOIN against the internal, protected admin_users table. Because the filtering layer failed to prevent operators from diving into relational schemas that the public caller has zero permission to view, the API’s response count effectively turns into a “one-bit blind boolean oracle”.
An attacker can systematically automate thousands of requests, iterating through characters to leak the secret resetPasswordToken bit by bit. Once the token is reconstructed, they can execute a password reset and take over the administrative account.
The vulnerability has been eradicated in patched versions v5.37.0 and later. The fix implements strict validation at the controller and service boundaries using three new primitives: strictParam, addQueryParams, and addBodyParams, which reject nested relational queries before they hit the database interpreter.
Security administrators are urged to audit their infrastructure logs immediately using the following behavioral signatures provided by researchers to identify if their unpatched instances have been targeted.
Indicators for CVE-2026-22599 (SQL Injection)
- Look for unauthorized database schema modifications or immediate node process crashes during migration steps.
- Scan HTTP access logs for unexpected
POSTorPUTmethods targeting the builder endpoints from external network spaces: (POST|PUT)\s+/content-type-builder/ - Inspect database engine logs for unexpected DEFAULT clauses pointing to program-execution helpers or filesystem access functions.
Indicators for CVE-2026-27886 (Relational Oracle)
- High volume, sustained bursts of public API requests from a single source IP address where only the trailing character of the parameter string changes.
- Audit server access logs for query parameters mapping to administrative user fields:
- Rogue password reset execution requests (POST /admin/reset-password) utilizing tokens that no legitimate internal administrator ever requested.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
