Listen to this Post
How CVE-2026-22706 Works:
In Strapi versions prior to 5.33.3, the password change and reset logic in @strapi/admin and @strapi/plugin-users-permissions does not automatically revoke existing refresh tokens. The refresh token invalidation step is conditional on a caller-supplied `deviceId` parameter. When a password change or reset request lacks a deviceId, the code skips revocation entirely, leaving all prior sessions active. An attacker who has obtained a valid refresh token (e.g., via previous compromise or leaked session) can continue to call `/api/auth/refresh` or `/admin/access-token` to mint new access tokens indefinitely. By default, refresh tokens live up to 30 days, so the attacker retains persistent unauthorized access even after the legitimate user resets their password. Password reset thus fails as a containment measure because credentials are rotated but sessions are not terminated. The vulnerability is rated Low (CVSS 2.1) due to high attack complexity (requires prior refresh token acquisition and authenticated context). The patch in version 5.33.3 unconditionally invalidates all refresh tokens associated with the user on every password change or reset, regardless of deviceId, and issues a fresh device-scoped session to the caller. Indicators of exploitation include successful refresh requests using tokens issued before the user’s last password change, multiple active sessions from different IPs after a password reset, and stale `strapi_session` rows with `status=’active’` and `created_at` older than the password reset timestamp.
dailycve form:
Platform: Strapi CMS
Version: <=5.33.2
Vulnerability: Session not invalidated
Severity: Low (2.1)
date: 2026-04-09
Prediction: 5.33.3 already patched
What Undercode Say:
Check for refresh token reuse after password reset (audit log correlation)
jq '.iat' refresh_token_payload.json extract issued-at claim
Query Strapi database for active sessions older than latest password reset
sudo -u postgres psql -d strapi -c "SELECT FROM strapi_session WHERE status='active' AND created_at < (SELECT MAX(updated_at) FROM up_users WHERE password_reset=true);"
Detect suspicious /api/auth/refresh calls from unexpected IPs
grep "POST /api/auth/refresh" /var/log/strapi/access.log | awk '{print $1, $7}' | sort | uniq -c
List users with multiple active refresh token families
curl -X GET "http://localhost:1337/admin/users?filters[bash][$gt]=1" -H "Authorization: Bearer $ADMIN_TOKEN"
Exploit:
Attacker captures a valid refresh token (e.g., via XSS, network sniffing, or leaked database). After victim changes or resets password, victim’s refresh token is not revoked. Attacker sends POST /api/auth/refresh with the captured token, receives a fresh access token, and maintains full API access. Repeat until token expiry (default 30 days). No `deviceId` needed; the vulnerable endpoint skips revocation.
Protection from this CVE
Update Strapi to version >=5.33.3 immediately. If patching is delayed, manually revoke all refresh tokens after each password change by deleting rows from `strapi_session` for the affected user, or implement a middleware to force invalidation. Monitor for anomalous refresh token usage.
Impact
Persistent unauthorized API access after credential rotation, bypassing password reset as a security control. Attacker can read/modify content, escalate privileges, or exfiltrate data for up to 30 days per stolen token. Defeats session termination best practices (OWASP ASVS V2.1.1).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

