Listen to this Post
How CVE-2026-22599 Works
The vulnerability exists in Strapi’s Content-Type Builder write API. An authenticated administrator can inject arbitrary database statements by manipulating the `column.defaultTo` attribute when creating or modifying a content type.
Setting `defaultTo` as a tuple `[value, { isRaw: true }]` causes the value to be passed directly into Knex’s `db.connection.raw()` during schema migration.
No sanitization is applied, allowing arbitrary statement execution at the database layer.
Depending on the database engine, this can enable:
- Arbitrary file read via database utility functions
- Denial of service through forced server crash on schema-migration error
- Remote code execution against the database server (on engines that permit external program execution)
The patch restricts all Content-Type Builder write APIs to development mode only. Production deployments running v5.33.2 or later return 404 for requests against `/content-type-builder/content-types` and related endpoints, removing the network-reachable attack surface entirely.
DailyCVE Form
Platform: Strapi
Version: <=5.33.1 / <=4.26.0
Vulnerability: Database Query Injection
Severity: Critical (9.3)
date: 2026-02-01
Prediction: Patch Date 2026-02-01
What Undercode Say:
Check Strapi version
npm list @strapi/strapi
Detect vulnerable endpoints
curl -X POST http://target.com/content-type-builder/content-types \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-d '{"name":"test","attributes":{"field":{"type":"string","defaultTo":["1; DROP TABLE users;--",{"isRaw":true}]}}}'
Monitor for exploitation
grep -E '(POST|PUT)\s+/content-type-builder/' /var/log/nginx/access.log
Patch command
npm install @strapi/[email protected] for v4
npm install @strapi/[email protected] for v5
Exploit:
An attacker with admin privileges sends a crafted POST/PUT request to `/content-type-builder/content-types` with a `defaultTo` tuple containing raw SQL. The unsanitized input is passed to db.connection.raw(), executing arbitrary commands at the database layer.
Protection from this CVE
- Immediately update Strapi to v5.33.2 (v5) or v4.26.1 (v4)
- If patching is not possible, restrict network access to the Content-Type Builder endpoints (e.g., via firewall or reverse proxy)
- Monitor HTTP access logs for suspicious POST/PUT requests to `/content-type-builder/`
– Audit database server logs for unexpected DEFAULT clause values referencing filesystem or program-execution functions
Impact
- Confidentiality: Arbitrary file read and potential data exfiltration
- Integrity: Unauthorized database modifications
- Availability: Denial of service via forced server crash
- Remote Code Execution: Possible on database engines that allow external program execution, leading to full server compromise
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

