CVE-2021-46440
Description
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Strapi's DOCUMENTATION plugin stores passwords in recoverable format, allowing cookie-based cleartext password theft and API documentation access.
Vulnerability
The DOCUMENTATION plugin component in Strapi stores passwords in a recoverable format (base64-encoded) within cookies. This affects Strapi versions before 3.6.9 and 4.x before 4.1.5 [1]. The plugin uses a cookie to persist authentication credentials, making them retrievable by an attacker who can intercept the victim's HTTP request.
Exploitation
An attacker must be able to access a victim's HTTP request, for example through a man-in-the-middle position or by monitoring network traffic. The attacker obtains the victim's cookie, performs a base64 decode, and extracts the cleartext password [1]. No additional authentication or user interaction beyond the victim's normal use is required.
Impact
Successful exploitation reveals the victim's cleartext password. With this password, the attacker can access the API documentation, which may expose further attack surfaces and enable additional API attacks [1]. The primary impact is information disclosure of credentials and subsequent unauthorized access to API documentation.
Mitigation
The vulnerability is fixed in Strapi versions 3.6.9 and 4.1.5 [1]. The fix was implemented in pull request #12246 [4]. Users should upgrade to these versions or later. No workarounds are documented in the available references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
strapinpm | < 3.6.9 | 3.6.9 |
@strapi/strapinpm | >= 4.0.0, < 4.1.5 | 4.1.5 |
Affected products
3- Strapi/DOCUMENTATION plugindescription
- ghsa-coords2 versions
>= 4.0.0, < 4.1.5+ 1 more
- (no CPE)range: >= 4.0.0, < 4.1.5
- (no CPE)range: < 3.6.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-85vg-grr5-pw42ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-46440ghsaADVISORY
- packetstormsecurity.com/files/166915/Strapi-3.6.8-Password-Disclosure-Insecure-Handling.htmlghsax_refsource_MISCWEB
- github.com/strapi/strapi/pull/12246ghsax_refsource_MISCWEB
- hub.docker.com/r/strapi/strapighsax_refsource_MISCWEB
- strapi.ioghsaWEB
- strapi.iomitrex_refsource_MISC
News mentions
0No linked articles in our index yet.