CVE-2019-18818
Description
strapi before 3.0.0-beta.17.5 mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Strapi before 3.0.0-beta.17.5 mishandles password reset requests, allowing unauthenticated attackers to escalate privileges or perform admin-level actions.
Vulnerability
Overview
CVE-2019-18818 describes a mishandling of password reset functionality in Strapi CMS versions prior to 3.0.0-beta.17.5. The flaw resides in the Auth.js controllers of both the core admin package and the users-permissions plugin [1]. This indicates that the password reset process lacked proper verification or validation steps, enabling unintended account access.
Exploitation
Conditions
An attacker can exploit this vulnerability without requiring prior authentication. By crafting a specially crafted password reset request, the attacker can bypass intended protections and potentially reset passwords of arbitrary users, including administrators [2][3]. The attack is network-based and requires no special privileges or user interaction beyond the initial request.
Impact
Successful exploitation allows an unauthenticated attacker to take over administrative accounts. This can lead to full compromise of the Strapi application, including data theft, modification of content or configuration, and in some cases remote code execution [2]. The vulnerability has been tied to privilege escalation chains that ultimately permit administrative access [1].
Mitigation
Strapi addressed this vulnerability in version 3.0.0-beta.17.5 and later releases [4]. Users are strongly advised to update to the latest stable version. Organizations should verify that their Strapi deployments are patched, as exploit code is publicly available, increasing the risk of active exploitation [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
strapinpm | < 3.0.0-beta.17.5 | 3.0.0-beta.17.5 |
Affected products
2- strapi/strapidescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-6xc2-mj39-q599ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-18818ghsaADVISORY
- packetstormsecurity.com/files/163939/Strapi-3.0.0-beta-Authentication-Bypass.htmlghsax_refsource_MISCWEB
- packetstormsecurity.com/files/163950/Strapi-CMS-3.0.0-beta.17.4-Remote-Code-Execution.htmlghsax_refsource_MISCWEB
- packetstormsecurity.com/files/165896/Strapi-CMS-3.0.0-beta.17.4-Privilege-Escalation.htmlghsax_refsource_MISCWEB
- cve.mitre.org/cgi-bin/cvename.cgighsaWEB
- github.com/strapi/strapi/pull/4443ghsax_refsource_MISCWEB
- github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.5ghsax_refsource_MISCWEB
- www.npmjs.com/advisories/1311ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.