SB2026051392 - Improper Neutralization of Special Elements in Data Query Logic in strapi

Security Bulletin ID SB2026051392

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Neutralization of Special Elements in Data Query Logic (CVE-ID: CVE-2026-27886)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper neutralization of special elements in data query logic in the Content API relational filtering logic when processing crafted where query parameters on publicly accessible content-type endpoints. A remote attacker can send a specially crafted query parameter chain traversing admin relations to disclose sensitive information.

Exploitation is possible on publicly accessible content-types with an updatedBy or other admin-relation field, and the response count can be used as a boolean oracle against private fields in the joined admin_users table.

Remediation

Install update from vendor's website.

References

https://github.com/strapi/strapi/security/advisories/GHSA-rjg2-95x7-8qmx