CVE-2026-27886

Name of the Vulnerable Software and Affected Versions Strapi versions 4.0.0 through 5.36.1

Description Strapi did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the where query parameter on any publicly-accessible content-type with an updatedBy (or other admin-relation) field to perform a boolean-oracle attack against private fields on the joined admin users table, including the resetPasswordToken field. A boolean-oracle attack is a technique where an attacker infers data by observing whether a system returns a true or false response (such as a change in the number of results returned). Extracting an admin reset token through this method allows for full administrative account takeover without authentication.

When a filter such as where[updatedBy][resetPasswordToken][$startsWith]=a is applied to a public Content API endpoint, the system performs a LEFT JOIN against the admin users table and emits a WHERE clause referencing the joined column. The sanitization layer failed to block operator chains traversing into relational target schemas that the caller lacked read permissions for, allowing the response count to serve as a one-bit oracle on any admin-table field.

Recommendations Update Strapi to version 5.37.0 or later.