CVE-2021-28128

Vulnerability

In Strapi versions up to and including 3.6.0, the admin panel's password change feature does not require the user to enter their current password. This missing authentication check (CWE-620) allows any authenticated user to set a new password without verifying their identity. The vulnerability is present in all admin panel password change flows, affecting the user's own profile page. Reference [1] and [3] confirm the affected versions are through 3.6.0.

Exploitation

An attacker must first gain access to a valid user session—for example through session hijacking, phishing, or previous compromise. Once the attacker is logged into the admin panel, they navigate to their profile page and submit a new password without providing the current password. The system accepts the change because no verification step is enforced. This sequence is documented in the proof of concept provided by SySS [3] and referenced in the official description [1].

Impact

Successful exploitation allows the attacker to change the password on the compromised account, locking out the legitimate user and gaining persistent control. The attacker achieves full account takeover with the same privileges as the original user, potentially including administrative rights depending on the account. This can lead to unauthorized content modification, data disclosure, or further lateral movement within the Strapi instance. Reference [1] describes the impact as account takeover via password change.

Mitigation

As of the disclosure date (April 26, 2021), no official patch had been released by Strapi, and the vendor was notified on March 8, 2021 [3]. A GitHub issue [4] was created as a feature request to add current password confirmation. Users of Strapi 3.6.0 or earlier should monitor for a security update and apply it promptly. No workarounds are documented in the provided references. The solution status remains open [3]; if no fix is forthcoming, upgrading to a patched version when released is the only mitigation.