Derrickmehaffy

**Name of the Vulnerable Software and Affected Versions** Strapi versions prior to 5.33.3 **Description** Changing or resetting a user's password does not invalidate existing refresh-token sessions by default. In the users-permissions and admin authentication controllers, the invalidation process depends on a caller-supplied `deviceId`. If a password change or reset request is made without a `deviceId`, no refresh tokens are revoked, which keeps all previous sessions active. This allows an attacker with a previously obtained refresh token to continue generating new access tokens even after a password reset, enabling unauthorized access for the duration of the refresh token's lifetime, which is 30 days by default. **Recommendations** Update to version 5.33.3 or later.