Password Reset Vulnerability in Strapi Headless CMS
CVE-2026-22706

2.1LOW

Key Information:

Vendor

Strapi

Status
Strapi
@strapi/admin
@strapi/plugin-users-permissions
Vendor
CVE Published:
14 May 2026

What is CVE-2026-22706?

Strapi is an open-source headless content management system that previously allowed unauthorized access resulting from inadequate refresh token invalidation during user password changes. In versions preceding 5.33.3, when a user changed or reset their password without supplying a 'deviceId', existing refresh tokens remained active. This oversight enabled an attacker with a valid refresh token to generate new access tokens, circumventing the security intended by password resets. The vulnerability has been rectified in version 5.33.3, which mandates that all refresh tokens associated with a user are invalidated upon any password change or reset, ensuring robust session management and preventing unauthorized access.

Affected Version(s)

@strapi/admin < 5.33.3

@strapi/plugin-users-permissions < 5.33.3

strapi < 5.33.3

References

https://github.com/strapi/strapi/security/advisories/GHSA...
x_refsource_CONFIRM

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.