Improper Neutralization of Special Elements in Data Query Logic in strapi - CVE-2026-27886
Published: May 13, 2026
Vulnerability identifier: #VU131364
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-27886
CWE-ID: CWE-943
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: strapi.io
Affected software:
strapi
strapi
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper neutralization of special elements in data query logic in the Content API relational filtering logic when processing crafted where query parameters on publicly accessible content-type endpoints. A remote attacker can send a specially crafted query parameter chain traversing admin relations to disclose sensitive information.
Exploitation is possible on publicly accessible content-types with an updatedBy or other admin-relation field, and the response count can be used as a boolean oracle against private fields in the joined admin_users table.
How to mitigate CVE-2026-27886
Install security update from vendor's website.