Strapi, Database Query Injection, CVE-2026-22599 (Critical)

Listen to this Post

How CVE-2026-22599 Works

The vulnerability exists in Strapi’s Content-Type Builder write API. An authenticated administrator can inject arbitrary database statements by manipulating the `column.defaultTo` attribute when creating or modifying a content type.
Setting `defaultTo` as a tuple `[value, { isRaw: true }]` causes the value to be passed directly into Knex’s `db.connection.raw()` during schema migration.
No sanitization is applied, allowing arbitrary statement execution at the database layer.

Depending on the database engine, this can enable:

  • Arbitrary file read via database utility functions
  • Denial of service through forced server crash on schema-migration error
  • Remote code execution against the database server (on engines that permit external program execution)
    The patch restricts all Content-Type Builder write APIs to development mode only. Production deployments running v5.33.2 or later return 404 for requests against `/content-type-builder/content-types` and related endpoints, removing the network-reachable attack surface entirely.

DailyCVE Form

Platform: Strapi
Version: <=5.33.1 / <=4.26.0
Vulnerability: Database Query Injection
Severity: Critical (9.3)
date: 2026-02-01

Prediction: Patch Date 2026-02-01

What Undercode Say:

Check Strapi version
npm list @strapi/strapi
Detect vulnerable endpoints
curl -X POST http://target.com/content-type-builder/content-types \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-d '{"name":"test","attributes":{"field":{"type":"string","defaultTo":["1; DROP TABLE users;--",{"isRaw":true}]}}}'
Monitor for exploitation
grep -E '(POST|PUT)\s+/content-type-builder/' /var/log/nginx/access.log
Patch command
npm install @strapi/[email protected] for v4
npm install @strapi/[email protected] for v5

Exploit:

An attacker with admin privileges sends a crafted POST/PUT request to `/content-type-builder/content-types` with a `defaultTo` tuple containing raw SQL. The unsanitized input is passed to db.connection.raw(), executing arbitrary commands at the database layer.

Protection from this CVE

  • Immediately update Strapi to v5.33.2 (v5) or v4.26.1 (v4)
  • If patching is not possible, restrict network access to the Content-Type Builder endpoints (e.g., via firewall or reverse proxy)
  • Monitor HTTP access logs for suspicious POST/PUT requests to `/content-type-builder/`
    – Audit database server logs for unexpected DEFAULT clause values referencing filesystem or program-execution functions

Impact

  • Confidentiality: Arbitrary file read and potential data exfiltration
  • Integrity: Unauthorized database modifications
  • Availability: Denial of service via forced server crash
  • Remote Code Execution: Possible on database engines that allow external program execution, leading to full server compromise

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top