CVE-2022-30617
Description
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For example, a low-privileged “author” role account can view these details in the JSON response for an “editor” or “super admin” that has updated one of the author’s blog posts. There are also many other scenarios where such details from other users can leak in the JSON response, either through a direct or indirect relationship. Access to this information enables a user to compromise other users’ accounts by successfully invoking the password reset workflow. In a worst-case scenario, a low-privileged user could get access to a “super admin” account with full control over the Strapi instance, and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated low-privileged Strapi admin users can view sensitive data (email, password reset tokens) of other users via JSON responses, enabling account compromise.
Vulnerability
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user [1][3]. For example, a low-privileged “author” role account can view these details in the JSON response for an “editor” or “super admin” that has updated one of the author’s blog posts. There are also many other scenarios where such details from other users can leak in the JSON response, either through a direct or indirect relationship. The vulnerability affects Strapi versions prior to the fix [2].
Exploitation
To exploit this vulnerability, an attacker needs a valid authenticated account with access to the Strapi admin panel, even one with low privileges such as the “author” role [1][3]. The attacker must have access to content that has a relationship (direct or indirect) with a target user (e.g., the target user created or updated that content). When the attacker views or retrieves the JSON response for that content, the response includes the target user's email and password reset tokens, enabling the attacker to perform a password reset for the target account [1][3].
Impact
Successful exploitation allows the attacker to view sensitive data (email and password reset tokens) of other admin panel users and subsequently compromise those accounts by invoking the password reset workflow [1][3]. In a worst-case scenario, a low-privileged user could gain access to a “super admin” account with full control over the Strapi instance, enabling them to read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users [1][3].
Mitigation
Strapi released a fix for this vulnerability. Users should update to the latest patched version of Strapi as soon as possible [2]. Workarounds are not documented in the available references. The vulnerability is not listed in the CISA KEV catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
strapinpm | >= 3.0.0, < 3.6.9 | 3.6.9 |
@strapi/strapinpm | < 4.0.0-beta.15 | 4.0.0-beta.15 |
Affected products
3- ghsa-coords2 versions
< 4.0.0-beta.15+ 1 more
- (no CPE)range: < 4.0.0-beta.15
- (no CPE)range: >= 3.0.0, < 3.6.9
- Strapi/Strapiv5Range: < 3.6.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-f6fm-r26q-p747ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-30617ghsaADVISORY
- www.synopsys.com/blogs/software-security/cyrc-advisory-strapighsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.