الثغرات ›

CVE-2026-22707

متوسط

CWE-434 — نوع الضعف

                    نُشر: May 14, 2026                      ·  آخر تحديث: May 17, 2026                      ·  المصدر: NVD                

CVSS v3

5.4

🔗 NVD الرسمي

📄 الوصف (الإنجليزية)

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Content API endpoints did not enforce the administrator-configured MIME type restrictions (`plugin.upload.security.allowedTypes` and `deniedTypes`). The same restrictions were correctly enforced on the Admin Panel upload path. The upload plugin's `enforceUploadSecurity` security check was invoked in the admin upload controller but was missing from the Content API controller. The Content API handlers `uploadFiles` and `replaceFile` (and the `upload` wrapper that dispatches to them) called the underlying upload service directly, bypassing both the magic-byte MIME detection and the configured allow/deny lists. An authenticated user with the Content API upload permission could therefore upload file types the administrator had explicitly disallowed, including HTML and SVG content. In deployments serving uploaded files from the same origin as the admin panel (default), an attacker could upload an HTML or SVG file that, when opened directly by an admin, executed JavaScript in the admin origin, enabling admin-session hijack and authenticated administrative actions against the admin API. The patch in version 5.33.3 introduces a shared `prepareUploadRequest` helper that wraps `enforceUploadSecurity` and is called from both the Content API and admin upload controllers, ensuring identical security policy enforcement on every upload entry point.

🤖 ملخص AI

Strapi versions prior to 5.33.3 fail to enforce MIME type restrictions on Content API file uploads, allowing authenticated users to bypass administrator-configured upload security policies. This vulnerability enables uploading malicious HTML/SVG files that can execute JavaScript in the admin panel context, potentially leading to admin session hijacking and unauthorized administrative actions. The vulnerability affects deployments serving uploaded files from the same origin as the admin panel, which is the default configuration.

📄 الوصف (العربية)

🤖 التحليل الذكي آخر تحليل: May 27, 2026 19:55

🇸🇦 التأثير على المملكة العربية السعودية

Saudi organizations using Strapi for content management—particularly in government digital transformation initiatives, banking portals, healthcare information systems, and e-commerce platforms—face significant risk. Government agencies under NCA oversight, SAMA-regulated financial institutions, and healthcare providers under MOH regulations are most vulnerable. The vulnerability enables privilege escalation from authenticated content creators to administrative access, compromising sensitive data and system integrity. Organizations in the Kingdom relying on Strapi for public-facing content management systems are at elevated risk of admin account compromise and subsequent data exfiltration or system manipulation.

🏢 القطاعات السعودية المتأثرة

Government (Digital Transformation, NCA-regulated agencies) Banking and Financial Services (SAMA-regulated institutions) Healthcare (MOH-regulated providers) E-commerce and Retail Media and Publishing Education Telecommunications

🎯 تقنيات MITRE ATT&CK

T1190 - Exploit Public-Facing Application (Strapi Content API) T1434 - Exploit for Privilege Escalation (Admin session hijacking) T1566.002 - Phishing: Spearphishing Link (Malicious uploaded HTML/SVG) T1598 - Phishing for Information (Admin credential theft via XSS) T1539 - Steal Web Session Cookie (Admin session hijacking) T1021.001 - Remote Services: Remote Desktop Protocol (Post-compromise admin access) T1078.001 - Valid Accounts: Default Accounts (Compromised admin account)

⚖️ درجة المخاطر السعودية (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all Strapi instances in your environment running versions prior to 5.33.3

2. Restrict Content API upload permissions to trusted users only; audit existing upload permissions

3. Implement network-level controls to prevent direct access to uploaded files from admin panel origin



PATCHING:

1. Upgrade Strapi to version 5.33.3 or later immediately

2. Test upgrades in non-production environments first

3. Review and re-validate MIME type restrictions (allowedTypes/deniedTypes) after patching



COMPENSATING CONTROLS (if immediate patching not possible):

1. Serve uploaded files from a different origin/subdomain than the admin panel (e.g., cdn.example.com vs admin.example.com)

2. Implement Content Security Policy (CSP) headers to prevent inline script execution

3. Configure web server to serve uploaded files with Content-Disposition: attachment header

4. Disable or restrict Content API upload endpoints if not actively used

5. Implement strict file type validation at the reverse proxy/WAF level



DETECTION:

1. Monitor Content API /upload and /replace endpoints for suspicious file uploads

2. Alert on uploads of .html, .svg, .js, .xml files via Content API

3. Review admin panel access logs for sessions initiated after file uploads

4. Implement file integrity monitoring on upload directories

5. Log and alert on any modifications to plugin.upload.security configuration

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع مثيلات Strapi في بيئتك التي تعمل بإصدارات سابقة للإصدار 5.33.3

2. قيّد أذونات تحميل Content API للمستخدمين الموثوقين فقط؛ قم بتدقيق أذونات التحميل الموجودة

3. تنفيذ عناصر تحكم على مستوى الشبكة لمنع الوصول المباشر إلى الملفات المحملة من أصل لوحة التحكم الإدارية

التصحيح:

1. قم بترقية Strapi إلى الإصدار 5.33.3 أو أحدث على الفور

2. اختبر الترقيات في بيئات غير الإنتاج أولاً

3. راجع وأعد التحقق من قيود نوع MIME (allowedTypes/deniedTypes) بعد التصحيح

عناصر التحكم البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. قدّم الملفات المحملة من أصل مختلف/نطاق فرعي عن لوحة التحكم الإدارية

2. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لمنع تنفيذ البرامج النصية المضمنة

3. قم بتكوين خادم الويب لتقديم الملفات المحملة برأس Content-Disposition: attachment

4. تعطيل أو تقييد نقاط نهاية تحميل Content API إذا لم تكن قيد الاستخدام النشط

5. تنفيذ التحقق من نوع الملف الصارم على مستوى الوكيل العكسي/WAF

الكشف:

1. مراقبة نقاط نهاية Content API /upload و /replace لتحميلات الملفات المريبة

2. تنبيهات على تحميلات ملفات .html و .svg و .js و .xml عبر Content API

3. مراجعة سجلات الوصول إلى لوحة التحكم الإدارية للجلسات المبدوءة بعد تحميلات الملفات

4. تنفيذ مراقبة سلامة الملفات على أدلة التحميل

5. تسجيل والتنبيه على أي تعديلات على إعدادات plugin.upload.security

📋 خريطة الامتثال التنظيمي

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control: Unauthorized privilege escalation via admin session hijacking ECC 2024 A.5.2.1 - User Registration and Access Management: Inadequate enforcement of upload restrictions ECC 2024 A.6.1.2 - Asset Management: Uncontrolled file upload and execution ECC 2024 A.12.2.1 - Logging and Monitoring: Insufficient logging of Content API upload activities

🔵 SAMA CSF

SAMA CSF ID.AM-2: Hardware and software assets are inventoried (Strapi version tracking) SAMA CSF PR.AC-1: Access to physical and logical assets is limited (Content API permissions) SAMA CSF PR.PT-2: Removable media is protected and its use restricted (File upload controls) SAMA CSF DE.CM-1: The network is monitored to detect potential cybersecurity events (Upload monitoring)

🟡 ISO 27001:2022

ISO 27001:2022 A.5.3 - Segregation of duties: Inadequate separation between Content API and Admin upload controls ISO 27001:2022 A.6.2 - User access management: Insufficient enforcement of upload policy restrictions ISO 27001:2022 A.8.3 - Cryptography: File integrity and authenticity not enforced ISO 27001:2022 A.12.4 - Logging and monitoring: Inadequate audit trails for upload activities

🟣 PCI DSS v4.0.1

PCI DSS 1.2.1 - Restrict inbound traffic to defined business need (if processing payments) PCI DSS 6.5.8 - Improper access control (file upload bypass) PCI DSS 10.2 - Implement automated audit trails (upload logging)

🔗 المراجع والمصادر 1

🔗

https://github.com/strapi/strapi/security/advisories/GHSA-pcw7-5633-82vv

security-advisories@github.com

Vendor Advisory

📦 المنتجات المتأثرة 1 منتج

strapi:strapi

📊 CVSS Score

5.4

/ 10.0 — متوسط

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 حقائق سريعة

الخطورة متوسط

CVSS Score5.4

CWECWE-434

EPSS0.03%

اختراق متاح لا

تصحيح متاح ✗ لا

تاريخ النشر 2026-05-14

المصدر nvd

المشاهدات 1

🇸🇦 درجة المخاطر السعودية

7.2

/ 10.0 — مخاطر السعودية

أولوية: HIGH

🏷️ الوسوم

CWE-434

🏢 توجيهات البائع

🔗 https://github.com/strapi/strapi/security/advisories...

⚡ إجراءات

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-22707

عرّفنا بنفسك

تسجيل الدخول مطلوب