GHSA-3XCQ-8MJW-H6MX

Vulnerability from github – Published: 2026-05-13 20:02 – Updated: 2026-05-13 20:02
VLAI?
Summary
Strapi Vulnerable to SQL Injection in Content Type Builder
Details

Summary of CVE-2026-22599 Vulnerability Details

  • CVE: CVE-2026-22599
  • CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N (9.3 — Critical)
  • Affected Versions: @strapi/content-type-builder <=5.33.1 (v5), @strapi/plugin-content-type-builder <=4.26.0 (v4)
  • How to Patch: Immediately update your Strapi to >=5.33.2 (v5) or >=4.26.1 (v4)

Description of CVE-2026-22599

A database-query injection vulnerability existed in the Strapi Content-Type Builder write API. An authenticated administrator could inject arbitrary database statements through the column.defaultTo attribute when creating or modifying a content type. Setting defaultTo as a tuple [value, { isRaw: true }] caused the value to be passed directly into Knex's db.connection.raw() during schema migration without sanitization, allowing arbitrary statement execution at the database layer. Depending on the database engine, this enabled arbitrary file read via database utility functions, denial of service via forced server crash on schema-migration error, and on engines that permit external program execution, remote code execution against the database server.

The patch addresses this by restricting all Content-Type Builder write APIs to development mode only. Production deployments running v5.33.2 or later return 404 for requests against /content-type-builder/content-types and related endpoints, removing the network-reachable attack surface entirely.

IoC's for CVE-2026-22599

Indicators that an instance running an unpatched version may have been exploited:

  • HTTP access logs containing POST or PUT requests to /content-type-builder/content-types from a non-internal source. Regex pattern: (POST|PUT)\s+/content-type-builder/
  • Database server logs containing unexpected DEFAULT clause values that reference filesystem-access or program-execution helper functions of your database engine
  • Strapi server crashes immediately following a content-type creation or update, observed as the Node process exiting during the schema-migration step
  • Files appearing under unexpected paths on the database host that match content-type DEFAULT values from the application
  • Newly-created content-types named or shaped to extract specific data (attribute names like passwd, etc, env, config)
Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/content-type-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.33.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/plugin-content-type-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.26.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-13T20:02:36Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary of CVE-2026-22599 Vulnerability Details\n\n- CVE: CVE-2026-22599\n- CVSS v3.1 Vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N` (9.3 \u2014 Critical)\n- Affected Versions: `@strapi/content-type-builder` \u003c=5.33.1 (v5), `@strapi/plugin-content-type-builder` \u003c=4.26.0 (v4)\n- How to Patch: Immediately update your Strapi to \u003e=5.33.2 (v5) or \u003e=4.26.1 (v4)\n\n### Description of CVE-2026-22599\n\nA database-query injection vulnerability existed in the Strapi Content-Type Builder write API. An authenticated administrator could inject arbitrary database statements through the `column.defaultTo` attribute when creating or modifying a content type. Setting `defaultTo` as a tuple `[value, { isRaw: true }]` caused the value to be passed directly into Knex\u0027s `db.connection.raw()` during schema migration without sanitization, allowing arbitrary statement execution at the database layer. Depending on the database engine, this enabled arbitrary file read via database utility functions, denial of service via forced server crash on schema-migration error, and on engines that permit external program execution, remote code execution against the database server.\n\nThe patch addresses this by restricting all Content-Type Builder write APIs to development mode only. Production deployments running v5.33.2 or later return 404 for requests against `/content-type-builder/content-types` and related endpoints, removing the network-reachable attack surface entirely.\n\n### IoC\u0027s for CVE-2026-22599\n\nIndicators that an instance running an unpatched version may have been exploited:\n\n- HTTP access logs containing POST or PUT requests to `/content-type-builder/content-types` from a non-internal source. Regex pattern: `(POST|PUT)\\s+/content-type-builder/`\n- Database server logs containing unexpected DEFAULT clause values that reference filesystem-access or program-execution helper functions of your database engine\n- Strapi server crashes immediately following a content-type creation or update, observed as the Node process exiting during the schema-migration step\n- Files appearing under unexpected paths on the database host that match content-type DEFAULT values from the application\n- Newly-created content-types named or shaped to extract specific data (attribute names like `passwd`, `etc`, `env`, `config`)",
  "id": "GHSA-3xcq-8mjw-h6mx",
  "modified": "2026-05-13T20:02:36Z",
  "published": "2026-05-13T20:02:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-3xcq-8mjw-h6mx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strapi/strapi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/releases/tag/v4.26.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/releases/tag/v5.33.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Strapi Vulnerable to SQL Injection in Content Type Builder"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.