Strapi, Boolean Oracle Information Disclosure, CVE-2026-27886 (Critical)

Listen to this Post

How CVE-2026-27886 works (technical details):

The vulnerability exists in Strapi versions ≤5.36.1 due to insufficient sanitization of query parameters when filtering content via relational fields. An unauthenticated attacker can target any publicly-accessible content type that includes an admin-relation field (e.g., updatedBy, createdBy, publishedBy). By crafting a `where` query parameter that traverses into the `admin_users` table, the attacker performs a boolean‑oracle attack against private fields such as resetPasswordToken.
Specifically, a request like `/api/s?where

[resetPasswordToken][$startsWith]=a` causes the underlying query builder to generate a `LEFT JOIN` against `admin_users` and emit a `WHERE` clause referencing the joined column. Because the sanitization layer does not block operator chains that cross into restricted relational schemas, the API response count (or presence/absence of results) reveals whether the condition is true. The attacker iterates over possible characters (hex alphabet 0‑9, a‑f) and progressively longer prefixes to brute‑force the entire `resetPasswordToken` value.
Once the token is extracted, the attacker calls `POST /admin/reset-password` with that token and sets a new password, achieving full administrative account takeover without any prior authentication. The patch (version ≥5.37.0) introduces <code>strictParam</code>, <code>addQueryParams</code>, and `addBodyParams` to reject operator chains that traverse into restricted relational targets before database execution.

<h2 style="color: blue;">DailyCVE Form (3 words max per line):</h2>

Platform: Strapi (Node.js)
Version: ≤5.36.1
Vulnerability: Boolean oracle attack
Severity: Critical (9.3)
date: 2026-05-14

<h2 style="color: blue;">Prediction: May 1 2026</h2>

<h2 style="color: blue;">Analytics under heading What Undercode Say:</h2>

[bash]
Detect potential exploitation attempts in access logs
grep -E '\?(.&)?where[(updatedBy|createdBy|publishedBy)][(email|password|resetPasswordToken|confirmationToken|firstname|lastname|preferedLanguage)][\$(startsWith|contains|eq|gt|lt|ge|le|in|notIn|notNull|null)]=' /var/log/nginx/access.log
Monitor for iterative brute-force of resetPasswordToken (hex characters)
awk '/where[updatedBy][resetPasswordToken][\$startsWith]/ {print $1}' access.log | sort | uniq -c | sort -nr
Check for suspicious reset-password calls after public API bursts
grep "POST /admin/reset-password" access.log | awk '{print $1, $4}' | sort | uniq -c

how Exploit:

  1. Identify a public content API endpoint (e.g., /api/s) with an `updatedBy` relation.
  2. Send requests incrementally: ?where[bash][resetPasswordToken][$startsWith]=0, then =1, …, =f; observe response length/count to determine first hex char.
  3. Extend prefix: after finding a, try =a0, =a1, … `=af` to extract full 64‑char token.
  4. Use extracted token at `POST /admin/reset-password` with new password.

5. Log in as admin using changed credentials.

Protection from this CVE

  • Immediately upgrade Strapi to ≥5.37.0.
  • If patching is delayed, block public access to Content API endpoints that expose relational fields (temporary WAF rule on `where[bash]` patterns).
  • Monitor logs for the regex pattern above and rotate all admin passwords if exploitation is suspected.
  • Apply input validation middleware to reject any `where` parameter containing $startsWith, $contains, or `$eq` on resetPasswordToken.

Impact

  • Unauthenticated admin account takeover – attacker gains full control over the Strapi admin panel.
  • Complete data breach – admin access allows reading, modifying, and deleting all content, user records, and system configuration.
  • Privilege escalation – from unauthenticated user to super admin without any interaction from legitimate admins.
  • Lateral movement – compromised admin can deploy malicious plugins or modify backend code.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top