GHSA-HVP3-26WX-G2W4

Vulnerability from github – Published: 2026-05-13 20:02 – Updated: 2026-05-13 20:02
VLAI?
Summary
Strapi: Password Reset Does Not Revoke Existing Refresh Sessions
Details

Summary of CVE-2026-22706 Vulnerability Details

  • CVE: CVE-2026-22706
  • CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N (2.1 — Low)
  • Affected Versions: @strapi/admin and @strapi/plugin-users-permissions <=5.33.2
  • How to Patch: Immediately update your Strapi to >=5.33.3

Description of CVE-2026-22706

In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication controllers was conditional on a caller-supplied deviceId. When a password change or reset request did not include a deviceId, no refresh tokens were revoked, leaving every prior session active.

An attacker who had previously obtained a refresh token could continue minting new access tokens after the legitimate user reset their password, allowing persistent unauthorized access for the lifetime of the refresh token (up to 30 days by default). Rotating credentials no longer terminated an active attacker session, defeating password reset as a containment measure.

The patch invalidates all refresh tokens associated with the user on every password change and password reset, regardless of whether a deviceId is supplied. A new device-scoped session is then issued to the caller as part of the response.

IoC's for CVE-2026-22706

Indicators that an instance running an unpatched version may have been exploited:

  • Successful POST /api/auth/refresh or POST /admin/access-token requests using a refresh token issued before the user's most recent password change. Reviewable by correlating refresh-token iat claims against password-change events in audit logs
  • New access-token issuances for a user whose password was reset within the past 30 days, originating from an IP or User-Agent that did not perform the reset
  • Multiple active refresh tokens for a single user across distinct IPs after a password reset event
  • Database query: rows in strapi_session with created_at earlier than the user's most recent password-reset timestamp and status = 'active'

References

  • OWASP ASVS 4.0 – V2.1.1: Session invalidation on credential change
  • OWASP Top 10 – A2: Broken Authentication

Credits

  • bugbunny.ai
  • AndyAnh174 (concurrent report, 2026-04-09 — originally filed as GHSA-c6gj-8rxm-jrf2, closed as duplicate)
  • Aastha2602 (concurrent report, 2026-03-10 — originally filed as GHSA-5qvg-4jch-gvf4, closed as duplicate)
Severity ?
2.1 (Low)
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.33.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/admin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.33.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.33.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/plugin-users-permissions"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.33.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-13T20:02:42Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary of CVE-2026-22706 Vulnerability Details\n\n- CVE: CVE-2026-22706\n- CVSS v3.1 Vector: `CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N` (2.1 \u2014 Low)\n- Affected Versions: `@strapi/admin` and `@strapi/plugin-users-permissions` \u003c=5.33.2\n- How to Patch: Immediately update your Strapi to \u003e=5.33.3\n\n### Description of CVE-2026-22706\n\nIn Strapi versions prior to 5.33.3, changing or resetting a user\u0027s password did not invalidate the user\u0027s existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication controllers was conditional on a caller-supplied `deviceId`. When a password change or reset request did not include a `deviceId`, no refresh tokens were revoked, leaving every prior session active.\n\nAn attacker who had previously obtained a refresh token could continue minting new access tokens after the legitimate user reset their password, allowing persistent unauthorized access for the lifetime of the refresh token (up to 30 days by default). Rotating credentials no longer terminated an active attacker session, defeating password reset as a containment measure.\n\nThe patch invalidates all refresh tokens associated with the user on every password change and password reset, regardless of whether a `deviceId` is supplied. A new device-scoped session is then issued to the caller as part of the response.\n\n### IoC\u0027s for CVE-2026-22706\n\nIndicators that an instance running an unpatched version may have been exploited:\n\n- Successful `POST /api/auth/refresh` or `POST /admin/access-token` requests using a refresh token issued before the user\u0027s most recent password change. Reviewable by correlating refresh-token `iat` claims against password-change events in audit logs\n- New access-token issuances for a user whose password was reset within the past 30 days, originating from an IP or User-Agent that did not perform the reset\n- Multiple active refresh tokens for a single user across distinct IPs after a password reset event\n- Database query: rows in `strapi_session` with `created_at` earlier than the user\u0027s most recent password-reset timestamp and `status = \u0027active\u0027`\n\n### References\n\n* OWASP ASVS 4.0 \u2013 V2.1.1: Session invalidation on credential change\n* OWASP Top 10 \u2013 A2: Broken Authentication\n\n### Credits\n\n- bugbunny.ai\n- AndyAnh174 (concurrent report, 2026-04-09 \u2014 originally filed as GHSA-c6gj-8rxm-jrf2, closed as duplicate)\n- Aastha2602 (concurrent report, 2026-03-10 \u2014 originally filed as GHSA-5qvg-4jch-gvf4, closed as duplicate)",
  "id": "GHSA-hvp3-26wx-g2w4",
  "modified": "2026-05-13T20:02:42Z",
  "published": "2026-05-13T20:02:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-hvp3-26wx-g2w4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strapi/strapi"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Strapi: Password Reset Does Not Revoke Existing Refresh Sessions"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.