If you’ve seen the claim that Strapi’s vulnerability database added 23 new CVEs this month, you should know upfront: that number doesn’t hold up. A check of every major CVE tracker — the National Vulnerability Database, OpenCVE, CVEDetails, the GitHub Advisory Database, and Snyk — shows no batch of 23 new Strapi CVEs landing in June 2026. The figure appears to be either a misreading of cumulative advisory counts or simple exaggeration. What actually happened is smaller in number but arguably more serious in substance: Strapi’s most recent official security disclosure covered five vulnerabilities patched across v5 and v4 LTS, and two of them carry critical CVSS scores above 9.0.
Those five CVEs — CVE-2025-64526, CVE-2026-22599, CVE-2026-22706, CVE-2026-22707, and CVE-2026-27886 — include an SQL injection in the Content-Type Builder scoring 9.3 and an unauthenticated data-leak flaw scoring 9.2 that allows full admin account takeover. For anyone running Strapi as a headless CMS behind a Next.js, Gatsby, or mobile front end, the real story is not the inflated count. It’s that a remote attacker could, until recent patches, extract an administrator’s password reset token without logging in at all. For example, a marketing agency running an unpatched Strapi 5.x instance to feed content to a client’s site would have been exposed to CVE-2026-27886 simply by having its API publicly reachable — no plugin misconfiguration or weak password required.
Table of Contents
- Did Strapi Really Add 23 New CVEs This Month?
- The Critical SQL Injection in Strapi’s Content-Type Builder
- CVE-2026-27886 — Admin Takeover Without a Login
- How to Patch — and What the Version Choice Costs You
- Why Headless CMS Vulnerabilities Are Easy to Miss
- How Strapi’s Disclosure Process Actually Works
- Checking Your Own Exposure Right Now
- Frequently Asked Questions
Did Strapi Really Add 23 New CVEs This Month?
No. There is no verifiable record of 23 new strapi CVEs being published in a single month. Searches across NVD, OpenCVE’s vendor-filtered Strapi list, CVEDetails, the GitHub Advisory Database, and Snyk’s vulnerability database turn up nothing resembling a 23-CVE batch in June 2026, and no security news outlet has reported one. Claims like this often originate from someone counting a vendor’s entire historical advisory list, or from automated content that conflated cumulative totals with monthly additions. The verified reality is Strapi’s official disclosure of five vulnerabilities, published on the Strapi blog and patched in both the v5 line and the v4 LTS line.
Compare that with how WordPress core handles disclosures: a typical WordPress security release also bundles a handful of fixes, not dozens. Five CVEs in one coordinated disclosure is normal, responsible vendor behavior — 23 in a month for a single CMS core would be an extraordinary event that every security publication would cover. This matters for anyone making platform decisions. If you’re evaluating Strapi against Contentful, Sanity, or a traditional WordPress setup, basing the comparison on an unverified “23 CVEs” figure would unfairly skew the analysis. Judge the platform on the real advisories — which, as the next sections show, still deserve serious attention.
The Critical SQL Injection in Strapi’s Content-Type Builder
CVE-2026-22599 (tracked as GHSA-3xcq-8mjw-h6mx) is the more classic of the two critical flaws. It’s an SQL injection in the Content-Type Builder, the admin tool developers use to define content schemas. The `column.defaultTo` attribute was passed unsanitized into Knex’s `db.connection.raw()` call, meaning a crafted default value could execute arbitrary SQL against the database. NVD assigned it a CVSS v4.0 score of 9.3 — Critical. The affected versions are @strapi/content-type-builder 5.33.1 and earlier on the v5 line, and 4.26.0 and earlier on v4.
Fixes shipped in 5.33.2 and 4.26.1. If your `package.json` pins anything below those versions, your database — including user tables, API tokens, and content — is potentially readable or writable by anyone who can reach that code path. One important limitation to understand: “we don’t expose the Content-Type Builder in production” is not a complete defense. The vulnerable code exists in the package whether or not your team actively uses the schema editor, and reasoning about exactly which routes are reachable in your specific deployment is exactly the kind of analysis that goes wrong under pressure. Patching is far cheaper than auditing.
CVE-2026-27886 — Admin Takeover Without a Login
The second critical flaw, CVE-2026-27886 (GHSA-rjg2-95×7-8qmx), is the more unusual and arguably more dangerous one. It’s an unauthenticated boolean-oracle data leak through Strapi’s relational filtering. By sending `where` filters against admin-relation fields such as `updatedBy`, an attacker could ask yes/no questions about hidden admin data — and one of the things they could extract, character by character, was an administrator’s `resetPasswordToken`. with the token in hand, the attacker resets the admin password and owns the instance. CVSS v4.0 score: 9.2, Critical.
The affected range is wide: every Strapi release from 4.0.0 up to (but not including) 5.37.0. The fix landed in v5.37.0. Bishop Fox published the detailed research on the boolean-oracle exfiltration technique, and Corgea covered the broader cluster combining the admin-token oracle with the Content-Type Builder injection. As a concrete scenario: a content API endpoint that allows public filtering — common for blog or product listing front ends — was sufficient attack surface. The attacker never needed credentials, never touched the admin panel, and the requests would look like ordinary filtered API queries in most access logs, making the attack difficult to spot after the fact.
How to Patch — and What the Version Choice Costs You
The remediation path depends on which Strapi line you run. For the SQL injection (CVE-2026-22599), upgrade to 5.33.2 on v5 or 4.26.1 on v4 LTS. For the boolean-oracle flaw (CVE-2026-27886), you need v5.37.0 — and note that the disclosure cluster also included CVE-2026-22706, a password reset issue, and CVE-2026-22707, a MIME validation bypass, both addressed in the same patch wave. The practical advice is to move to the latest patched release of your line rather than cherry-picking minimums. There’s a genuine tradeoff here for v4 holdouts.
Staying on v4 LTS gets you security backports like 4.26.1 without the migration effort of a major upgrade, but the CVE-2026-27886 fix is documented in v5.37.0 — the v5 line is where remediation lands first and most completely. Teams that have deferred the v4-to-v5 migration are now paying for that deferral in the form of harder security decisions. Compare this with Drupal’s model, where security support windows are published years in advance: Strapi teams need to track the project’s LTS commitments actively rather than assuming indefinite backports. After upgrading, rotate secrets. If your instance was exposed while vulnerable to CVE-2026-27886, assume admin reset tokens may have been read: force password resets for admin users, regenerate API tokens, and review the admin user list for accounts you don’t recognize.
Why Headless CMS Vulnerabilities Are Easy to Miss
Headless CMS deployments have a structural blind spot: the CMS is invisible to end users, so it’s invisible to a lot of monitoring, too. A WordPress site that gets defaced announces its own compromise. A Strapi instance feeding JSON to a statically generated front end can be fully compromised while the public website looks perfectly normal — the attacker reads your data, plants persistence, and the build pipeline keeps shipping clean pages. The warning here is specifically about ownership.
In agency and freelance setups, Strapi often gets provisioned during a project, handed to the client at launch, and then nobody owns dependency updates. Unlike WordPress, which has built-in update notifications staring at every admin who logs in, a Strapi version bump requires someone to run `npm outdated`, read the changelog, test, and redeploy. CVE-2026-27886’s affected range — everything from 4.0.0 onward — means instances set up years ago and never touched were vulnerable the entire time. A reasonable minimum standard: subscribe to Strapi’s security blog or watch the GitHub repository’s security advisories, run `npm audit` in CI so vulnerable dependency versions fail the build, and put CMS patching in someone’s job description rather than leaving it to whoever notices.
How Strapi’s Disclosure Process Actually Works
Strapi coordinates disclosures through GitHub Security Advisories (the GHSA identifiers attached to each CVE) and publishes consolidated write-ups on its blog — the five-CVE disclosure covering CVE-2025-64526 through CVE-2026-27886 is the current example. Patches ship before the technical details go public, which is why the blog post names fixed versions for both v5 and v4 LTS in the same announcement.
External researchers play a large role in this pipeline. Bishop Fox’s published analysis of CVE-2026-27886 demonstrates the boolean-oracle exfiltration in detail, and Corgea’s research documented the combined admin-token-oracle and query-injection cluster. That third-party scrutiny is a sign of a maturing ecosystem: popular open-source projects attract researchers, which produces CVEs — a project with zero CVEs usually means nobody is looking, not that nothing is wrong.
Checking Your Own Exposure Right Now
Two commands answer most of the urgent questions. `npm ls @strapi/strapi` (or checking `package.json` in your deployment) tells you your core version: anything below 5.37.0 on the v5 line is exposed to CVE-2026-27886, and anything at or below 5.33.1 (or 4.26.0 on v4) carries the 9.3-rated SQL injection.
`npm audit` will flag the advisories directly, since both GHSA-3xcq-8mjw-h6mx and GHSA-rjg2-95×7-8qmx are in the GitHub Advisory Database that npm consumes. For retrospective checks, search your API access logs for unusual volumes of requests using filter parameters against fields like `updatedBy` — the boolean-oracle attack requires many sequential queries to extract a token, so a burst of similar filtered requests from one source is the signature to look for. OpenCVE’s vendor-filtered Strapi list is the cleanest place to monitor for future advisories without wading through unrelated noise.
Frequently Asked Questions
Did Strapi really get 23 new CVEs this month?
No. No CVE tracker or news outlet shows a 23-CVE batch. The verified recent disclosure covered five vulnerabilities patched in v5 and v4 LTS.
Which Strapi versions fix the critical vulnerabilities?
The SQL injection (CVE-2026-22599) is fixed in 5.33.2 and 4.26.1. The unauthenticated data-leak flaw (CVE-2026-27886) is fixed in v5.37.0.
Can attackers exploit CVE-2026-27886 without credentials?
Yes. It’s an unauthenticated boolean-oracle leak via relational filtering that can extract an admin’s resetPasswordToken, enabling full account takeover.
What should I do after patching?
Rotate secrets — force admin password resets, regenerate API tokens, and review admin accounts, since reset tokens may have been read while you were vulnerable.
How severe are these flaws compared to typical CMS bugs?
Very. CVSS v4.0 scores of 9.3 and 9.2 put both in the Critical range, comparable to the worst WordPress core or plugin flaws in recent years.
