critical
CVE
CVE-2026-27886, CVE-2026-22599, CVE-2026-22707, CVE-2026-22706, CVE-2025-64526
CWE
CWE-22, CWE-89, CWE-200, CWE-307, CWE-434, CWE-693, CWE-943
Affected Surface
@strapi/strapi 4.0.0 through 5.36.1, @strapi/content-type-builder 5.0.0 through 5.33.1, @strapi/plugin-content-type-builder 4.0.0 through 4.26.0, @strapi/upload <= 5.33.2, @strapi/admin <= 5.33.2, @strapi/plugin-users-permissions <= 5.44.0, Strapi Content API deployments with public content types that expose admin relation fields
Strapi published a cluster of security advisories on 13 May 2026, and NVD entries followed on 14 May. The set matters for application security teams because the affected npm packages sit directly in production CMS request paths: public Content API filtering, authenticated Content-Type Builder writes, uploads, admin sessions, and users-permissions authentication throttling.
The highest-risk issue is CVE-2026-27886, a critical query-sanitization flaw in @strapi/strapi. Strapi did not sufficiently block relational filter chains from traversing from public content records into restricted admin-user fields. An unauthenticated attacker could repeatedly query a public content type with filters such as where[updatedBy][resetPasswordToken][$startsWith]=... and use response differences as a boolean oracle to recover private values, including admin reset-password tokens.
The second critical issue is CVE-2026-22599 in Content-Type Builder packages. An authenticated administrator could pass a raw column.defaultTo tuple that reached Knex’s raw database execution path during schema migration. Depending on the database engine and deployment, that database-query injection could lead to arbitrary database statements, file read primitives, denial of service, or database-server code execution.
Affected packages and fixed versions
The package advisory records map affected npm package ranges under GitHub Security Advisory IDs rather than only the CVE IDs:
@strapi/strapi: CVE-2026-27886 / GHSA-rjg2-95x7-8qmx affects versions from4.0.0before5.37.0. Upgrade to5.37.0or later.@strapi/content-type-builder: CVE-2026-22599 / GHSA-3xcq-8mjw-h6mx affects versions from5.0.0before5.33.2. Upgrade to5.33.2or later.@strapi/plugin-content-type-builder: CVE-2026-22599 / GHSA-3xcq-8mjw-h6mx affects versions from4.0.0before4.26.1. Upgrade to4.26.1or later.@strapi/upload: CVE-2026-22707 / GHSA-pcw7-5633-82vv affects versions up to5.33.2. Upgrade to5.33.3or later.@strapi/admin: CVE-2026-22706 / GHSA-hvp3-26wx-g2w4 affects versions up to5.33.2. Upgrade to5.33.3or later.@strapi/plugin-users-permissions: CVE-2026-22706 affects versions up to5.33.2, and CVE-2025-64526 / GHSA-7mqx-wwh4-f9fw affects versions up to5.44.0. Upgrade to5.45.0or later to cover both users-permissions issues.
Strapi v4 deployments need special attention because the v4 Content-Type Builder fix is on the @strapi/plugin-content-type-builder line at 4.26.1; the critical relational-filtering oracle is listed against @strapi/strapi from 4.0.0 through 5.36.1, with the fixed line documented as 5.37.0 or later.
Attack surface
CVE-2026-27886 is exposed when a public Content API endpoint can filter through an admin relation such as updatedBy, createdBy, or publishedBy. The attacker does not need an account. They need a public content type whose relational fields can be abused to join against admin-user data, then enough requests to test candidate values one character at a time.
CVE-2026-22599 requires administrator privileges, but that does not make it harmless. CMS administrator accounts are common post-phishing targets, and the vulnerable path turns an application-level admin account into database-layer statement execution during content-type changes. The patch removes the production write surface by returning 404 for Content-Type Builder write APIs outside development mode.
The remaining advisories expand the blast radius:
- CVE-2026-22707 lets Content API users with upload permission bypass MIME allow and deny lists, including for HTML or SVG content that may execute in the admin origin if opened by an administrator.
- CVE-2026-22706 means password changes and resets did not revoke existing refresh-token sessions when
deviceIdwas absent. - CVE-2025-64526 lets unauthenticated callers rotate an unexpected
emailbody field to bypass per-IP throttling on auth routes that do not legitimately key on email.
Together, the cluster affects both initial compromise and containment. An attacker may be able to recover admin reset tokens, keep sessions alive after password rotation, brute-force auth routes with weakened throttling, and use upload-policy bypasses to place active content where admins can reach it.
Detection
For CVE-2026-27886, review access logs for public Content API requests that filter through admin relations:
where[updatedBy][resetPasswordToken][$startsWith]
where[createdBy][email]
where[publishedBy][password]Repeated requests from one source that vary only the final character of a filter value are especially suspicious. Follow those with checks for POST /admin/reset-password and successful admin login or password-change events that were not initiated by the legitimate administrator.
For CVE-2026-22599, search HTTP logs for unexpected POST or PUT requests under /content-type-builder/, especially in production. Review database logs for unusual DEFAULT clauses, schema-migration errors, calls to file-access helper functions, or content types with suspicious attribute names such as passwd, env, config, or secret.
For upload-policy bypass, look for Content API upload events that created .html, .htm, .svg, .js, .mjs, .xml, or .xhtml files despite configured restrictions. Then correlate whether an admin loaded those files shortly before unexpected administrative changes.
Remediation
Upgrade Strapi and the affected packages to fixed versions. For most v5 deployments, 5.45.0 or later covers the users-permissions rate-limit fix and the earlier 5.33.3 and 5.37.0 fixes. For v4 deployments, apply the latest supported v4 release and ensure @strapi/plugin-content-type-builder is at least 4.26.1.
After upgrading:
- Rotate administrator reset tokens and force password resets for accounts whose reset-token values may have been queried.
- Revoke existing admin and users-permissions refresh-token sessions so CVE-2026-22706 cannot preserve an attacker session.
- Remove unexpected uploaded active-content files and consider serving uploads from a separate origin from the admin panel.
- Restrict Content-Type Builder routes to development environments and internal networks.
- Review WAF and rate-limit rules for
/api/auth/local,/api/auth/reset-password, and/api/auth/change-password.
If logs show relational-filter probing against admin fields, treat the instance as a potential admin account takeover. Preserve request logs, rotate CMS admin credentials, rotate database credentials reachable from Strapi, and audit recent content-type, user, role, upload, and plugin configuration changes.