Improper access control in strapi - CVE-2024-29181
Published: June 12, 2024 / Updated: April 23, 2026
Vulnerability identifier: #VU126966
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-29181
CWE-ID: CWE-284
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: strapi.io
Affected software:
strapi
strapi
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in relation selection in the Admin Panel when handling association dropdowns for private collections. A remote user can create a new item and view associated items from another user's protected collection to disclose sensitive information.
User interaction is required to create or edit an item and open the association dropdown.
How to mitigate CVE-2024-29181
Install security update from vendor's website.