Vulnerabilities ›

CVE-2026-22706

Medium

CWE-613 — Weakness Type

                    Published: May 14, 2026                      ·  Modified: May 17, 2026                      ·  Source: NVD                

CVSS v3

6.5

🔗 NVD Official

📄 Description (English)

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication controllers was conditional on a caller-supplied `deviceId`. When a password change or reset request did not include a `deviceId`, no refresh tokens were revoked, leaving every prior session active. An attacker who had previously obtained a refresh token could continue minting new access tokens after the legitimate user reset their password, allowing persistent unauthorized access for the lifetime of the refresh token (up to 30 days by default). Rotating credentials no longer terminated an active attacker session, defeating password reset as a containment measure. The patch in version 5.33.3 invalidates all refresh tokens associated with the user on every password change and password reset, regardless of whether a `deviceId` is supplied. A new device-scoped session is then issued to the caller as part of the response.

🤖 AI Executive Summary

Strapi versions prior to 5.33.3 fail to invalidate refresh tokens when users change or reset passwords if no deviceId is supplied, allowing attackers with previously obtained refresh tokens to maintain unauthorized access for up to 30 days. This critical authentication bypass defeats password reset as a containment measure and enables persistent unauthorized access even after credential rotation. Organizations using Strapi for content management should immediately assess their deployment and implement compensating controls.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 16, 2026 07:38

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using Strapi for content management systems—particularly in government digital transformation initiatives, banking portals, healthcare information systems, and e-commerce platforms—face significant risk. The vulnerability is particularly critical for SAMA-regulated financial institutions using Strapi for customer-facing applications, NCA-governed government digital services, and healthcare providers managing patient data. The 30-day persistent access window creates extended exposure for sensitive data breaches and unauthorized transactions.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Digital Transformation Healthcare and Medical Records E-commerce and Retail Telecommunications Energy and Utilities Education Media and Publishing

🎯 MITRE ATT&CK Techniques

T1110 - Brute Force T1187 - Forced Authentication T1556 - Modify Authentication Process T1550 - Use Alternate Authentication Material T1550.001 - Use Alternate Authentication Material: Application Access Token T1078 - Valid Accounts T1098 - Account Manipulation T1556.006 - Modify Authentication Process: Multi-Factor Authentication

⚖️ Saudi Risk Score (AI)

7.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all Strapi deployments in your environment and document their versions

2. Isolate or restrict access to Strapi instances running versions prior to 5.33.3

3. Force logout all active user sessions immediately

4. Require all users to change passwords and enable multi-factor authentication

5. Review authentication logs for suspicious refresh token usage patterns

PATCHING GUIDANCE:

1. Upgrade Strapi to version 5.33.3 or later immediately

2. Test upgrades in non-production environments first

3. After patching, invalidate all existing refresh tokens by forcing re-authentication

4. Implement automated patching procedures for future releases

COMPENSATING CONTROLS (if immediate patching not possible):

1. Reduce refresh token lifetime from default 30 days to maximum 7 days in Strapi configuration

2. Implement mandatory re-authentication for sensitive operations

3. Deploy API gateway with token validation and revocation checks

4. Monitor and alert on refresh token usage anomalies

5. Implement IP-based session binding to detect token reuse from different locations

DETECTION RULES:

1. Alert on refresh token usage after password change events

2. Monitor for multiple access tokens generated from single refresh token

3. Track refresh token usage from different IP addresses within short timeframes

4. Alert on refresh token usage beyond 7-day window

5. Monitor authentication logs for password reset events not followed by session termination

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع نشرات Strapi في بيئتك وقثّق إصداراتها

2. عزل أو تقييد الوصول إلى مثيلات Strapi التي تعمل بإصدارات سابقة للإصدار 5.33.3

3. فرض تسجيل الخروج لجميع جلسات المستخدم النشطة فوراً

4. طلب من جميع المستخدمين تغيير كلمات المرور وتفعيل المصادقة متعددة العوامل

5. مراجعة سجلات المصادقة للكشف عن أنماط استخدام رموز التحديث المريبة

إرشادات التصحيح:

1. ترقية Strapi إلى الإصدار 5.33.3 أو أحدث فوراً

2. اختبر الترقيات في بيئات غير الإنتاج أولاً

3. بعد التصحيح، أبطل جميع رموز التحديث الموجودة بفرض إعادة المصادقة

4. تنفيذ إجراءات التصحيح الآلية للإصدارات المستقبلية

عناصر التحكم التعويضية (إذا لم يكن التصحيح الفوري ممكناً):

1. تقليل مدة صلاحية رمز التحديث من 30 يوماً افتراضياً إلى 7 أيام كحد أقصى

2. تنفيذ إعادة مصادقة إلزامية للعمليات الحساسة

3. نشر بوابة API مع التحقق من الرموز والتحقق من الإلغاء

4. مراقبة والتنبيه على شذوذ استخدام رموز التحديث

5. تنفيذ ربط الجلسة القائم على IP للكشف عن إعادة استخدام الرموز من مواقع مختلفة

قواعد الكشف:

1. التنبيه على استخدام رموز التحديث بعد أحداث تغيير كلمة المرور

2. مراقبة توليد رموز وصول متعددة من رمز تحديث واحد

3. تتبع استخدام رموز التحديث من عناوين IP مختلفة في فترات زمنية قصيرة

4. التنبيه على استخدام رموز التحديث بعد نافذة 7 أيام

5. مراقبة سجلات المصادقة لأحداث إعادة تعيين كلمة المرور التي لا تتبعها إنهاء الجلسة

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.9.2.1 - User registration and access rights management ECC 2024 A.9.2.5 - Access rights review and revocation ECC 2024 A.9.4.3 - Password management and change procedures ECC 2024 A.9.4.4 - Session management and timeout controls

🔵 SAMA CSF

SAMA CSF ID.AM-1 - Asset management and inventory SAMA CSF PR.AC-1 - Access control policy and procedures SAMA CSF PR.AC-2 - Physical and logical access controls SAMA CSF DE.AE-1 - Anomalies and events detection

🟡 ISO 27001:2022

ISO 27001:2022 A.5.15 - Access control ISO 27001:2022 A.5.16 - Authentication ISO 27001:2022 A.5.17 - Access rights ISO 27001:2022 A.8.3 - Cryptography ISO 27001:2022 A.8.22 - Monitoring

🟣 PCI DSS v4.0.1

PCI DSS 2.1 - Change default passwords PCI DSS 6.5.10 - Broken authentication PCI DSS 8.1.4 - Remove/disable inactive user accounts PCI DSS 8.2.3 - Password strength requirements

🔗 References & Sources 1

🔗

https://github.com/strapi/strapi/security/advisories/GHSA-hvp3-26wx-g2w4

security-advisories@github.com

Vendor Advisory

📦 Affected Products / CPE 1 entries

strapi:strapi

📊 CVSS Score

6.5

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredH — High

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.5

CWECWE-613

EPSS0.06%

Exploit No

Patch ✗ No

Published 2026-05-14

Source Feed nvd

🇸🇦 Saudi Risk Score

7.8

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-613

🏢 Vendor Advisories

🔗 https://github.com/strapi/strapi/security/advisories...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-22706

Introduce Yourself

Sign In Required