Improper Restriction of Excessive Authentication Attempts in strapi - CVE-2023-38507
Published: September 13, 2023 / Updated: April 23, 2026
Vulnerability identifier: #VU126963
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-38507
CWE-ID: CWE-307
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
strapi
strapi
Software vendor:
strapi.io
strapi.io
Description
The vulnerability allows a remote attacker to bypass authentication rate limiting.
The vulnerability exists due to improper restriction of excessive authentication attempts in the admin login function when handling login requests with modified request paths. A remote attacker can send specially crafted login requests with altered path casing or trailing slashes to bypass authentication rate limiting.
This affects the admin login endpoint and can increase the likelihood of successful brute-force login attempts.
Remediation
Install security update from vendor's website.