#VU126966 Improper access control in strapi - CVE-2024-29181
Published: June 12, 2024 / Updated: April 23, 2026
Vulnerability identifier: #VU126966
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-29181
CWE-ID: CWE-284
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
strapi
strapi
Software vendor:
strapi.io
strapi.io
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in relation selection in the Admin Panel when handling association dropdowns for private collections. A remote user can create a new item and view associated items from another user's protected collection to disclose sensitive information.
User interaction is required to create or edit an item and open the association dropdown.
Remediation
Install security update from vendor's website.