Sanitization Flaws in Strapi Headless CMS Affecting Multiple Versions
CVE-2026-27886

9.2CRITICAL

Key Information:

Vendor: Strapi
Status: Strapi
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-27886?

Strapi, an open-source headless content management system, has a vulnerability in versions ranging from 4.0.0 to 5.36.0 that stems from inadequate sanitization of query parameters during content filtering. This flaw allows unauthenticated attackers to exploit the where query parameter on publicly-accessible content types with admin-relation fields, such as updatedBy. The attacker can perform a boolean-oracle attack against the private fields on the admin_users table, including fields like resetPasswordToken, leading potentially to complete administrative account takeover without the need for authentication. The issue arises from how the application handles operator chains that traverse restricted relational schemas. However, this vulnerability was addressed in version 5.37.0, which implemented enhanced query-parameter sanitization to prevent unauthorized access to restricted database fields.

Affected Version(s)

strapi >= 4.0.0, < 5.37.0

References

https://github.com/strapi/strapi/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Feb 24, 2026

CVE-2026-27886 Data

JSON