GHSA-PCW7-5633-82VV

Vulnerability from github – Published: 2026-05-14 13:12 – Updated: 2026-05-14 13:12
VLAI?
Summary
Strapi Upload Plugin MIME Validation Bypass via Content API
Details

Summary of CVE-2026-22707 Vulnerability Details

  • CVE: CVE-2026-22707
  • CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N (5.3 — Medium)
  • Affected Versions: @strapi/upload <=5.33.2
  • How to Patch: Immediately update your Strapi to >=5.33.3

Description of CVE-2026-22707

In Strapi versions prior to 5.33.3, the Upload plugin's Content API endpoints did not enforce the administrator-configured MIME type restrictions (plugin.upload.security.allowedTypes and deniedTypes). The same restrictions were correctly enforced on the Admin Panel upload path.

The upload plugin's enforceUploadSecurity security check was invoked in the admin upload controller but was missing from the Content API controller. The Content API handlers uploadFiles and replaceFile (and the upload wrapper that dispatches to them) called the underlying upload service directly, bypassing both the magic-byte MIME detection and the configured allow/deny lists.

An authenticated user with the Content API upload permission could therefore upload file types the administrator had explicitly disallowed, including HTML and SVG content. In deployments serving uploaded files from the same origin as the admin panel (default), an attacker could upload an HTML or SVG file that, when opened directly by an admin, executed JavaScript in the admin origin, enabling admin-session hijack and authenticated administrative actions against the admin API.

The patch introduces a shared prepareUploadRequest helper that wraps enforceUploadSecurity and is called from both the Content API and admin upload controllers, ensuring identical security policy enforcement on every upload entry point.

IoC's for CVE-2026-22707

Indicators that an instance running an unpatched version may have been exploited:

  • Files in /uploads/ with extensions outside the configured allow-list, particularly .html, .htm, .svg, .js, .mjs, .xml, or .xhtml. Filesystem regex: \.(html?|svg|m?js|x?html|xml)$
  • Successful 201 responses from POST /api/upload where the uploaded file's MIME or extension is outside the configured allowedTypes
  • Server access logs showing non-administrator users uploading files with executable web content types. Content-Type regex: text/html|application/javascript|image/svg\+xml
  • Admin browsing logs (X-Forwarded-For, User-Agent) opening files under /uploads/*.html or /uploads/*.svg shortly before unexpected administrative actions (user creation, role changes, permission modifications)

References

Credits

Reported independently by: - @kaminuma (initial report, 2026-01-09) - @arkmarta (concurrent report, 2026-01-13 — originally filed as GHSA-r7hp-523c-r8wr, closed as duplicate)

Severity ?
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.33.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/upload"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.33.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22707"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434",
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T13:12:56Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary of CVE-2026-22707 Vulnerability Details\n\n- CVE: CVE-2026-22707\n- CVSS v3.1 Vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N` (5.3 \u2014 Medium)\n- Affected Versions: `@strapi/upload` \u003c=5.33.2\n- How to Patch: Immediately update your Strapi to \u003e=5.33.3\n\n### Description of CVE-2026-22707\n\nIn Strapi versions prior to 5.33.3, the Upload plugin\u0027s Content API endpoints did not enforce the administrator-configured MIME type restrictions (`plugin.upload.security.allowedTypes` and `deniedTypes`). The same restrictions were correctly enforced on the Admin Panel upload path.\n\nThe upload plugin\u0027s `enforceUploadSecurity` security check was invoked in the admin upload controller but was missing from the Content API controller. The Content API handlers `uploadFiles` and `replaceFile` (and the `upload` wrapper that dispatches to them) called the underlying upload service directly, bypassing both the magic-byte MIME detection and the configured allow/deny lists.\n\nAn authenticated user with the Content API upload permission could therefore upload file types the administrator had explicitly disallowed, including HTML and SVG content. In deployments serving uploaded files from the same origin as the admin panel (default), an attacker could upload an HTML or SVG file that, when opened directly by an admin, executed JavaScript in the admin origin, enabling admin-session hijack and authenticated administrative actions against the admin API.\n\nThe patch introduces a shared `prepareUploadRequest` helper that wraps `enforceUploadSecurity` and is called from both the Content API and admin upload controllers, ensuring identical security policy enforcement on every upload entry point.\n\n### IoC\u0027s for CVE-2026-22707\n\nIndicators that an instance running an unpatched version may have been exploited:\n\n- Files in `/uploads/` with extensions outside the configured allow-list, particularly `.html`, `.htm`, `.svg`, `.js`, `.mjs`, `.xml`, or `.xhtml`. Filesystem regex: `\\.(html?|svg|m?js|x?html|xml)$`\n- Successful 201 responses from `POST /api/upload` where the uploaded file\u0027s MIME or extension is outside the configured `allowedTypes`\n- Server access logs showing non-administrator users uploading files with executable web content types. Content-Type regex: `text/html|application/javascript|image/svg\\+xml`\n- Admin browsing logs (X-Forwarded-For, User-Agent) opening files under `/uploads/*.html` or `/uploads/*.svg` shortly before unexpected administrative actions (user creation, role changes, permission modifications)\n\n## References\n\n- **CWE-693**: Protection Mechanism Failure\n- **CWE-434**: Unrestricted Upload of File with Dangerous Type\n- **OWASP**: Unrestricted File Upload\n- [Strapi 5 Documentation - Media Library](https://docs.strapi.io/cms/features/media-library)\n- [Strapi Security Policy](https://github.com/strapi/strapi/security/policy)\n\n## Credits\n\nReported independently by:\n- @kaminuma (initial report, 2026-01-09)\n- @arkmarta (concurrent report, 2026-01-13 \u2014 originally filed as GHSA-r7hp-523c-r8wr, closed as duplicate)",
  "id": "GHSA-pcw7-5633-82vv",
  "modified": "2026-05-14T13:12:57Z",
  "published": "2026-05-14T13:12:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-pcw7-5633-82vv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strapi/strapi"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Strapi Upload Plugin MIME Validation Bypass via Content API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.