Listen to this Post
How CVE-2026-27886 works (technical details):
The vulnerability exists in Strapi versions ≤5.36.1 due to insufficient sanitization of query parameters when filtering content via relational fields. An unauthenticated attacker can target any publicly-accessible content type that includes an admin-relation field (e.g., updatedBy, createdBy, publishedBy). By crafting a `where` query parameter that traverses into the `admin_users` table, the attacker performs a boolean‑oracle attack against private fields such as resetPasswordToken.
Specifically, a request like `/api/s?where
[resetPasswordToken][$startsWith]=a` causes the underlying query builder to generate a `LEFT JOIN` against `admin_users` and emit a `WHERE` clause referencing the joined column. Because the sanitization layer does not block operator chains that cross into restricted relational schemas, the API response count (or presence/absence of results) reveals whether the condition is true. The attacker iterates over possible characters (hex alphabet 0‑9, a‑f) and progressively longer prefixes to brute‑force the entire `resetPasswordToken` value.
Once the token is extracted, the attacker calls `POST /admin/reset-password` with that token and sets a new password, achieving full administrative account takeover without any prior authentication. The patch (version ≥5.37.0) introduces <code>strictParam</code>, <code>addQueryParams</code>, and `addBodyParams` to reject operator chains that traverse into restricted relational targets before database execution.
<h2 style="color: blue;">DailyCVE Form (3 words max per line):</h2>
Platform: Strapi (Node.js)
Version: ≤5.36.1
Vulnerability: Boolean oracle attack
Severity: Critical (9.3)
date: 2026-05-14
<h2 style="color: blue;">Prediction: May 1 2026</h2>
<h2 style="color: blue;">Analytics under heading What Undercode Say:</h2>
[bash]
Detect potential exploitation attempts in access logs
grep -E '\?(.&)?where[(updatedBy|createdBy|publishedBy)][(email|password|resetPasswordToken|confirmationToken|firstname|lastname|preferedLanguage)][\$(startsWith|contains|eq|gt|lt|ge|le|in|notIn|notNull|null)]=' /var/log/nginx/access.log
Monitor for iterative brute-force of resetPasswordToken (hex characters)
awk '/where[updatedBy][resetPasswordToken][\$startsWith]/ {print $1}' access.log | sort | uniq -c | sort -nr
Check for suspicious reset-password calls after public API bursts
grep "POST /admin/reset-password" access.log | awk '{print $1, $4}' | sort | uniq -c
how Exploit:
- Identify a public content API endpoint (e.g.,
/api/s) with an `updatedBy` relation. - Send requests incrementally:
?where[bash][resetPasswordToken][$startsWith]=0, then=1, …,=f; observe response length/count to determine first hex char. - Extend prefix: after finding
a, try=a0,=a1, … `=af` to extract full 64‑char token. - Use extracted token at `POST /admin/reset-password` with new password.
5. Log in as admin using changed credentials.
Protection from this CVE
- Immediately upgrade Strapi to ≥5.37.0.
- If patching is delayed, block public access to Content API endpoints that expose relational fields (temporary WAF rule on `where[bash]` patterns).
- Monitor logs for the regex pattern above and rotate all admin passwords if exploitation is suspected.
- Apply input validation middleware to reject any `where` parameter containing
$startsWith,$contains, or `$eq` onresetPasswordToken.
Impact
- Unauthenticated admin account takeover – attacker gains full control over the Strapi admin panel.
- Complete data breach – admin access allows reading, modifying, and deleting all content, user records, and system configuration.
- Privilege escalation – from unauthenticated user to super admin without any interaction from legitimate admins.
- Lateral movement – compromised admin can deploy malicious plugins or modify backend code.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

