CVE-2026-22706

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 5.33.3

Description Changing or resetting a user's password does not invalidate existing refresh-token sessions by default. In the users-permissions and admin authentication controllers, the invalidation process depends on a caller-supplied deviceId. If a password change or reset request is made without a deviceId, no refresh tokens are revoked, which keeps all previous sessions active. This allows an attacker with a previously obtained refresh token to continue generating new access tokens even after a password reset, enabling unauthorized access for the duration of the refresh token's lifetime, which is 30 days by default.

Recommendations Update to version 5.33.3 or later.