MIME Type Bypass Vulnerability in Strapi Headless CMS by Strapi
CVE-2026-22707

5.3MEDIUM

Key Information:

Vendor: Strapi
Status: Strapi; @strapi/upload
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-22707?

Strapi, the open-source headless content management system, contains a vulnerability in its Upload plugin prior to version 5.33.3, allowing authenticated users to bypass configured MIME type restrictions on file uploads via the Content API. Unlike the Admin Panel, which enforces these security checks correctly, the Content API permits upload of disallowed file types, such as HTML and SVG. This flaw enables potential session hijacking when infected files are accessed by administrators. A patch in version 5.33.3 addresses this issue by implementing consistent security checks across both upload interfaces.

Affected Version(s)

@strapi/upload < 5.33.3

strapi < 5.33.3

References

https://github.com/strapi/strapi/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Jan 8, 2026

CVE-2026-22707 Data

JSON