External risk intelligence

Strapi systems can be taken over by attackers through public content APIs

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-27886

Strapi CMS is vulnerable to unauthenticated administrative account takeover via its public content APIs. Attackers can exploit this by manipulating query parameters to extract sensitive tokens, leading to full system compromise.

5Halo Surface Signal

Path Traversal

Strapi

4.0.0 to before 5.37.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-27886

The vulnerability affects publicly accessible Content API endpoints. Strapi is a headless CMS fundamentally designed to expose these APIs to the internet to serve content to frontend applications, making the vulnerable surface public-facing by design in standard deployments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Strapi, an open-source content management system, allows an unauthenticated attacker to potentially take over an administrative account. The system improperly handles query parameters when filtering content, enabling an attacker to exploit this to extract sensitive information like password reset tokens. This issue is critical because it can lead to a complete compromise of administrative access without any prior authentication.

  • Attackers can bypass authentication.
  • Full administrative account takeover is possible.
  • Affects publicly accessible content APIs.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this flaw by manipulating query parameters on publicly accessible Strapi content APIs. They can craft specific filter requests that traverse relational fields, effectively using the response count as a boolean oracle to guess private fields in the admin user table. Successfully guessing the password reset token allows complete administrative account takeover.

  • Public API access required.
  • Filter parameter manipulation is the vector.
  • Target admin user table fields.

Live Threat

Current exploitation, exposure, and threat context

Attackers will likely target this vulnerability due to its critical severity and the potential for unauthenticated full administrative account takeover. The Strapi CMS is often deployed with publicly accessible APIs, which this vulnerability directly impacts, making it an attractive target for exploitation.

  • Publicly accessible APIs.
  • Unauthenticated account takeover.
  • No observed exploitation signals.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Strapi instances to version 5.37.0 or later to address the critical vulnerability allowing admin account takeover. If immediate patching is not feasible, implement strict WAF rules to block suspicious `where` query parameters targeting relational fields and monitor logs for any attempts to exploit this flaw.

  • Apply patch to version 5.37.0.
  • Block exploit queries with WAF.
  • Monitor for token extraction attempts.

Frequently asked questions

What is CVE-2026-27886 and which Strapi versions are affected?

CVE-2026-27886 is a critical vulnerability in Strapi, an open-source headless CMS. It affects Strapi versions 4.0.0 up to, but not including, 5.37.0. The issue arises from insufficient sanitization of query parameters when filtering content through relational fields.

How does the Strapi vulnerability allow for account takeover?

The vulnerability, stemming from improper query parameter sanitization, allows an unauthenticated attacker to perform a boolean-oracle attack. By manipulating the 'where' query parameter on public content types with specific relational fields, an attacker can extract sensitive information like the 'resetPasswordToken' from the 'admin_users' table, enabling full administrative account takeover.

What is the weakness class for CVE-2026-27886 and how is it triggered?

The primary weakness classes are CWE-200 (Exposure of Sensitive Information), CWE-22 (Improper Limitation of a Pathname to a Restricted Directory or User'sapeutic), and CWE-943 (Improper Neutralization of Special Elements in Data Query). The vulnerability is triggered by an unauthenticated attacker using the `where` query parameter on publicly accessible content-type endpoints to craft relational queries that traverse into restricted schemas.

Why is this Strapi vulnerability considered very likely to be exploited?

This vulnerability is classified as 'Very likely' to be exploited because it affects publicly accessible Content API endpoints. Strapi, by its nature as a headless CMS, is designed to expose these APIs to the internet, making the vulnerable surface inherently public-facing in standard deployments. This broad exposure, combined with the critical impact of unauthenticated administrative account takeover, presents a significant threat.

What is the recommended action to mitigate the Strapi vulnerability?

The recommended action is to immediately patch Strapi instances to version 5.37.0 or later. If immediate patching is not possible, implement strict Web Application Firewall (WAF) rules to block suspicious 'where' query parameters that target relational fields and diligently monitor system logs for any exploitation attempts.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified