{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/strapi/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@strapi/content-type-builder","@strapi/plugin-content-type-builder"],"_cs_severities":["critical"],"_cs_tags":["sql-injection","vulnerability","strapi"],"_cs_type":"advisory","_cs_vendors":["Strapi"],"content_html":"\u003cp\u003eCVE-2026-22599 is a critical SQL injection vulnerability affecting the Strapi Content-Type Builder, specifically versions \u0026lt;=5.33.1 of \u003ccode\u003e@strapi/content-type-builder\u003c/code\u003e (v5) and \u0026lt;=4.26.0 of \u003ccode\u003e@strapi/plugin-content-type-builder\u003c/code\u003e (v4). This vulnerability allows an authenticated administrator to inject arbitrary database statements through the \u003ccode\u003ecolumn.defaultTo\u003c/code\u003e attribute during content type creation or modification. By setting \u003ccode\u003edefaultTo\u003c/code\u003e as a tuple \u003ccode\u003e[value, { isRaw: true }]\u003c/code\u003e, the provided value is directly passed to Knex\u0026rsquo;s \u003ccode\u003edb.connection.raw()\u003c/code\u003e without proper sanitization, leading to arbitrary statement execution at the database layer. Successful exploitation could result in arbitrary file read, denial of service via server crash, and, depending on the database engine, remote code execution on the database server. The vulnerability can be remediated by updating Strapi to versions \u0026gt;=5.33.2 (v5) or \u0026gt;=4.26.1 (v4), which restricts Content-Type Builder write APIs to development mode only.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates as an administrator in Strapi.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST or PUT request to \u003ccode\u003e/content-type-builder/content-types\u003c/code\u003e or related endpoints.\u003c/li\u003e\n\u003cli\u003eThe request includes a payload designed to create or modify a content type.\u003c/li\u003e\n\u003cli\u003eWithin the payload, the \u003ccode\u003ecolumn.defaultTo\u003c/code\u003e attribute is set with a tuple \u003ccode\u003e[value, { isRaw: true }]\u003c/code\u003e. The \u003ccode\u003evalue\u003c/code\u003e contains a SQL injection payload.\u003c/li\u003e\n\u003cli\u003eStrapi\u0026rsquo;s Content-Type Builder processes the request and passes the \u003ccode\u003evalue\u003c/code\u003e directly into Knex\u0026rsquo;s \u003ccode\u003edb.connection.raw()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe database executes the injected SQL statement, performing actions such as arbitrary file read, causing a denial-of-service by crashing the server, or potentially executing arbitrary code on the database server, depending on the database engine\u0026rsquo;s capabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data read from the file system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the Strapi application or the database server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-22599 can lead to severe consequences, including unauthorized access to sensitive data, denial of service, and potentially remote code execution on the database server. Observed damage includes unexpected files appearing on the database host, Strapi server crashes following content-type creation or updates, and unusual DEFAULT clause values in database server logs. The vulnerability affects any Strapi instance running vulnerable versions of the \u003ccode\u003e@strapi/content-type-builder\u003c/code\u003e or \u003ccode\u003e@strapi/plugin-content-type-builder\u003c/code\u003e packages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update Strapi to versions \u0026gt;=5.33.2 (v5) or \u0026gt;=4.26.1 (v4) to apply the patch that restricts Content-Type Builder write APIs to development mode, mitigating the vulnerability described in CVE-2026-22599.\u003c/li\u003e\n\u003cli\u003eMonitor HTTP access logs for POST or PUT requests to \u003ccode\u003e/content-type-builder/content-types\u003c/code\u003e endpoints from non-internal sources using the regex pattern \u003ccode\u003e(POST|PUT)\\s+/content-type-builder/\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eAnalyze database server logs for unexpected DEFAULT clause values that reference filesystem-access or program-execution helper functions to detect successful SQL injection.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential exploitation attempts based on HTTP requests to the Content-Type Builder endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T20:05:52Z","date_published":"2026-05-13T20:05:52Z","id":"https://feed.craftedsignal.io/briefs/2026-05-strapi-sqli/","summary":"A SQL injection vulnerability, identified as CVE-2026-22599, affects Strapi's Content-Type Builder, where an authenticated administrator could inject arbitrary database statements through the `column.defaultTo` attribute, potentially leading to arbitrary file read, denial of service, or remote code execution on the database server.","title":"Strapi Content-Type Builder SQL Injection Vulnerability (CVE-2026-22599)","url":"https://feed.craftedsignal.io/briefs/2026-05-strapi-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Strapi","version":"https://jsonfeed.org/version/1.1"}