Wildwestcybersecurity

**Name of the Vulnerable Software and Affected Versions** Strapi versions 4.0.0 through 5.36.1 **Description** Strapi did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the `where` query parameter on any publicly-accessible content-type with an `updatedBy` (or other admin-relation) field to perform a boolean-oracle attack against private fields on the joined `admin users` table, including the `resetPasswordToken` field. A boolean-oracle attack is a technique where an attacker infers data by observing whether a system returns a true or false response (such as a change in the number of results returned). Extracting an admin reset token through this method allows for full administrative account takeover without authentication. When a filter such as `where[updatedBy][resetPasswordToken][$startsWith]=a` is applied to a public Content API endpoint, the system performs a `LEFT JOIN` against the `admin users` table and emits a `WHERE` clause referencing the joined column. The sanitization layer failed to block operator chains traversing into relational target schemas that the caller lacked read permissions for, allowing the response count to serve as a one-bit oracle on any admin-table field. **Recommendations** Update Strapi to version 5.37.0 or later.