{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@strapi/strapi/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@strapi/strapi"],"_cs_severities":["medium"],"_cs_tags":["cve","strapi","account takeover","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Strapi"],"content_html":"\u003cp\u003eStrapi versions prior to 5.37.0 contain a critical vulnerability (CVE-2026-27886) that allows unauthenticated attackers to perform account takeover. The vulnerability stems from insufficient sanitization of query parameters when filtering content via relational fields. An attacker can exploit this flaw by crafting malicious \u003ccode\u003ewhere\u003c/code\u003e query parameters targeting publicly accessible content types with an \u003ccode\u003eupdatedBy\u003c/code\u003e (or other admin-relation) field. This allows for a boolean-oracle attack against private fields in the joined \u003ccode\u003eadmin_users\u003c/code\u003e table, specifically targeting the \u003ccode\u003eresetPasswordToken\u003c/code\u003e field. Successful extraction of an admin reset token enables complete administrative account takeover without requiring any prior authentication. The vulnerability affects \u003ccode\u003e@strapi/strapi\u003c/code\u003e versions \u0026lt;=5.36.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a publicly accessible content-type endpoint in the Strapi application that includes a relational field to the \u003ccode\u003eadmin_users\u003c/code\u003e table (e.g., \u003ccode\u003eupdatedBy\u003c/code\u003e, \u003ccode\u003ecreatedBy\u003c/code\u003e, \u003ccode\u003epublishedBy\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request to the identified endpoint, using the \u003ccode\u003ewhere\u003c/code\u003e query parameter to filter results based on a private field in the \u003ccode\u003eadmin_users\u003c/code\u003e table, such as \u003ccode\u003eresetPasswordToken\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker injects special characters and operators (e.g., \u003ccode\u003e$startsWith\u003c/code\u003e, \u003ccode\u003e$contains\u003c/code\u003e, \u003ccode\u003e$eq\u003c/code\u003e) into the \u003ccode\u003ewhere\u003c/code\u003e query parameter to construct a boolean-oracle attack. Example: \u003ccode\u003ewhere[updatedBy][resetPasswordToken][$startsWith]=a\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Strapi application executes a \u003ccode\u003eLEFT JOIN\u003c/code\u003e query against the \u003ccode\u003eadmin_users\u003c/code\u003e table without proper sanitization, allowing the attacker to infer information about the \u003ccode\u003eresetPasswordToken\u003c/code\u003e field based on the response.\u003c/li\u003e\n\u003cli\u003eThe attacker iterates through a hex alphabet (\u003ccode\u003e0\u003c/code\u003e-\u003ccode\u003e9\u003c/code\u003e, \u003ccode\u003ea\u003c/code\u003e-\u003ccode\u003ef\u003c/code\u003e) to progressively reveal the \u003ccode\u003eresetPasswordToken\u003c/code\u003e value one character at a time by observing subtle differences in the response.\u003c/li\u003e\n\u003cli\u003eOnce the attacker has successfully extracted the complete \u003ccode\u003eresetPasswordToken\u003c/code\u003e, they make a \u003ccode\u003ePOST /admin/reset-password\u003c/code\u003e request with the stolen token.\u003c/li\u003e\n\u003cli\u003eThe Strapi application validates the stolen reset token, and allows the attacker to set a new password for the targeted administrator account.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully logs in to the Strapi admin panel using the newly set password, achieving full administrative account takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-27886 allows unauthenticated attackers to gain complete control over the Strapi application. This can lead to data breaches, unauthorized modifications, and denial of service. The affected versions are \u003ccode\u003e@strapi/strapi\u003c/code\u003e \u0026lt;=5.36.1. The impact is considered critical due to the ease of exploitation and the high level of access gained.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade your Strapi installation to version \u0026gt;=5.37.0 to patch CVE-2026-27886, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Strapi resetPasswordToken Oracle Attempts (CVE-2026-27886)\u0026rdquo; to detect potential exploitation attempts by monitoring for suspicious \u003ccode\u003ewhere\u003c/code\u003e query parameters in web server access logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Strapi Admin Password Reset After Potential Exploitation (CVE-2026-27886)\u0026rdquo; to detect potential exploitation attempts by monitoring for admin password resets following suspicious activity.\u003c/li\u003e\n\u003cli\u003eMonitor server access logs for query strings containing patterns matching \u003ccode\u003e\\?(.*\u0026amp;)?where\\[(updatedBy|createdBy|publishedBy)\\]\\[(email|password|resetPasswordToken|confirmationToken|firstname|lastname|preferedLanguage)\\]\\[\\$(startsWith|contains|eq|gt|lt|ge|le|in|notIn|notNull|null)\\]=\u003c/code\u003e as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T13:21:49Z","date_published":"2026-05-14T13:21:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-strapi-rce/","summary":"Strapi versions prior to 5.37.0 are vulnerable to an unauthenticated boolean-oracle attack against private fields on the joined `admin_users` table, including the `resetPasswordToken` field, via the 'where' query parameter on publicly accessible content-types; extracting an admin reset token via this oracle makes full administrative account takeover possible without authentication.","title":"Strapi Unauthenticated Account Takeover via Relational Filtering Vulnerability (CVE-2026-27886)","url":"https://feed.craftedsignal.io/briefs/2026-05-strapi-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — @Strapi/Strapi","version":"https://jsonfeed.org/version/1.1"}