SCA: security update for @strapi/admin, @strapi/plugin-users-permissions (GHSA-hvp3-26wx-g2w4)

low Tenable Self-Hosted Container Security Plugin ID 441826

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing
or resetting a user's password did not invalidate the user's existing refresh-token sessions by default.
The refresh-token invalidation step in the users-permissions and admin authentication controllers was
conditional on a caller-supplied `deviceId`. When a password change or reset request did not include a
`deviceId`, no refresh tokens were revoked, leaving every prior session active. An attacker who had
previously obtained a refresh token could continue minting new access tokens after the legitimate user
reset their password, allowing persistent unauthorized access for the lifetime of the refresh token (up to
30 days by default). Rotating credentials no longer terminated an active attacker session, defeating
password reset as a containment measure. The patch in version 5.33.3 invalidates all refresh tokens
associated with the user on every password change and password reset, regardless of whether a `deviceId`
is supplied. A new device-scoped session is then issued to the caller as part of the response.
(CVE-2026-22706)

Solution

Update the @strapi/admin library and its related packages to version 5.33.3 or later.

See Also

https://github.com/advisories/GHSA-hvp3-26wx-g2w4

Plugin Details

Severity: Low

ID: 441826

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 5/14/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.66

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: High

Base Score: 7.7

Temporal Score: 5.7

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:N

CVSS Score Source: CVE-2026-22706

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Low

Base Score: 2.1

Threat Score: 0.5

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/13/2026

Vulnerability Publication Date: 5/13/2026

Reference Information

CVE: CVE-2026-22706

cwe: CWE-613