SCA: security update for @strapi/strapi (GHSA-rjg2-95x7-8qmx)

critical Tenable Self-Hosted Container Security Plugin ID 441834

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior
to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An
unauthenticated attacker could use the `where` query parameter on any publicly-accessible content-type
with an `updatedBy` (or other admin-relation) field to perform a boolean-oracle attack against private
fields on the joined `admin_users` table, including the `resetPasswordToken` field. Extracting an admin
reset token via this oracle made full administrative account takeover possible without authentication.
When a filter such as `where[updatedBy][resetPasswordToken][$startsWith]=a` was applied to a public
Content API endpoint, the underlying query generation performed a `LEFT JOIN` against the `admin_users`
table and emitted a `WHERE` clause referencing the joined column. The query parameter sanitization layer
did not block operator chains that traversed into relational target schemas the caller had no read
permission on, allowing the response count to be used as a one-bit oracle on any admin-table field. The
patch in version 5.37.0 introduces explicit query-parameter sanitization at the controller and service
boundary via three new primitives: `strictParam`, `addQueryParams`, and `addBodyParams`. Operator chains
that traverse into restricted relational targets are now rejected before reaching the database.
(CVE-2026-27886)

Solution

Update the @strapi/strapi library and its related packages to version 5.37.0 or later.

See Also

https://github.com/advisories/GHSA-rjg2-95x7-8qmx

Plugin Details

Severity: Critical

ID: 441834

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 5/14/2026

Updated: 6/3/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.7

Percentile: 96.44

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-27886

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.2

Threat Score: 8.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/14/2026

Vulnerability Publication Date: 5/14/2026

Reference Information

CVE: CVE-2026-27886