CVEFinder.io

CVE-2026-22706

🔶 medium
🔍 Scan for this CVE
Summary

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication controllers was conditional on a caller-supplied `deviceId`. When a password change or reset request did not include a `deviceId`, no refresh tokens were revoked, leaving every prior session active. An a

Description

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication controllers was conditional on a caller-supplied `deviceId`. When a password change or reset request did not include a `deviceId`, no refresh tokens were revoked, leaving every prior session active. An attacker who had previously obtained a refresh token could continue minting new access tokens after the legitimate user reset their password, allowing persistent unauthorized access for the lifetime of the refresh token (up to 30 days by default). Rotating credentials no longer terminated an active attacker session, defeating password reset as a containment measure. The patch in version 5.33.3 invalidates all refresh tokens associated with the user on every password change and password reset, regardless of whether a `deviceId` is supplied. A new device-scoped session is then issued to the caller as part of the response.

CVSS Score
6.5
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-14
First Seen: 2026-05-17
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 47.8% of all 328,009 vulnerabilities in our database.

#171,192
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 15, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-05-16
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-613

📦 Affected Products 1

Vendor Product Status Affected Versions
strapi strapi Affected
< 5.33.3

🔗 References 1

https://github.com/strapi/strapi/security/advisories...
Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-64526 🔶 medium 5.3 0.0 Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middlewa... 2026-05-14
CVE-2026-22599 ⚠️ high 7.2 0.1 Strapi is an open source headless content management system. In versions on the 4.x branch prior to 4.26.1 and on the 5.... 2026-05-14
CVE-2026-22707 🔶 medium 5.4 0.0 Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Con... 2026-05-14
CVE-2026-27886 ⚠️ high 7.5 0.1 Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did n... 2026-05-14
CVE-2024-56143 ⚠️ high 8.2 0.0 Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator... 2025-10-16
CVE-2025-3930 🔶 medium - 0.1 Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, ... 2025-10-16
These CVEs affect the same products