CVE-2022-30618
Description
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are many scenarios in which such details from API users can leak in the JSON response within the admin panel, either through a direct or indirect relationship. Access to this information enables a user to compromise these users’ accounts if the password reset API endpoints have been enabled. In a worst-case scenario, a low-privileged user could get access to a high-privileged API account, and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated low-privileged Strapi admin user can view sensitive data (emails, password reset tokens) of API users through content type relationships, enabling account compromise.
Vulnerability
In Strapi, an authenticated user with access to the admin panel can leak private and sensitive data (such as email addresses and password reset tokens) of API users (from:users-permissions). This occurs when content types accessible to the authenticated user contain direct or indirect relationships to API users [1][3]. Affected versions include Strapi releases prior to the fix for this CVE-2022-30618. The leak happens in JSON responses within the admin panel.
Exploitation
An attacker must have a valid account with at least some admin panel access (low-privileged role such as "author") [1][3]. No user interaction from the target API user is required. The attacker simply navigates to content items that have relationships to API user records; the sensitive fields are automatically included in the JSON response returned by the admin panel. If the password reset API endpoints are enabled, the attacker can use the leaked reset tokens to compromise API user accounts [3].
Impact
Successful exploitation allows the attacker to obtain email addresses and password reset tokens of API users. With these tokens, the attacker can reset the password of those API users and gain full control over their accounts [1][3]. In a worst-case scenario, a low-privileged attacker could take over a high-privileged API account, enabling read/write access to any data, and potentially revoke privileges for all other users, blocking access to both the admin panel and API [1][3].
Mitigation
The Strapi project has not yet officially disclosed a fixed version in the available references, but users should monitor the Strapi GitHub repository [2] and the Strapi advisory page for updates. As a workaround, administrators can review and restrict relationships between content types and API users, and disable password reset API endpoints if not strictly required [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
strapinpm | >= 3.0.0, < 3.6.9 | 3.6.9 |
@strapi/strapinpm | < 4.1.9 | 4.1.9 |
Affected products
3- ghsa-coords2 versions
< 4.1.9+ 1 more
- (no CPE)range: < 4.1.9
- (no CPE)range: >= 3.0.0, < 3.6.9
- Strapi/Strapiv5Range: < 3.6.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-vgj7-895j-gpr6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-30618ghsaADVISORY
- www.synopsys.com/blogs/software-security/cyrc-advisory-strapighsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.