CVE-2022-31367
Description
Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Strapi prior to 3.6.10 and 4.1.10 exposes hidden attributes in admin API responses, potentially leaking sensitive data intended to be concealed.
Root Cause: The Strapi headless CMS mishandles hidden attributes within admin API responses. Hidden attributes, which are meant to be concealed from the admin panel, are inadvertently returned in API responses. This flaw exists in versions before 3.6.10 and 4.x before 4.1.10 [1].
Exploitation: An attacker with access to the admin API—typically an authenticated admin user—can retrieve content models and see the hidden attributes in the response payload. No special privileges beyond standard admin access are required, as the hidden attributes are not properly sanitized in the API layer [3].
Impact: Successful exploitation leads to unauthorized disclosure of sensitive data that was intended to remain hidden, such as fields containing confidential information. This compromises the confidentiality of data that content modelers expected to be obscured even from admin panel views [2].
Mitigation: The issue is fixed in Strapi versions 3.6.10 and 4.1.10. Users are advised to upgrade immediately. The fix involves sanitizing hidden attributes from admin API responses [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
strapinpm | < 3.6.10 | 3.6.10 |
@strapi/strapinpm | >= 4.0.0-next.0, < 4.1.10 | 4.1.10 |
Affected products
3- Strapi/Strapidescription
- ghsa-coords2 versions
>= 4.0.0-next.0, < 4.1.10+ 1 more
- (no CPE)range: >= 4.0.0-next.0, < 4.1.10
- (no CPE)range: < 3.6.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-4phg-hpqm-c3j4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31367ghsaADVISORY
- github.com/kos0ng/CVEs/tree/main/CVE-2022-31367ghsax_refsource_MISCWEB
- github.com/strapi/strapi/pull/13185ghsaWEB
- github.com/strapi/strapi/pull/13189ghsaWEB
- github.com/strapi/strapi/releases/tag/v3.6.10ghsax_refsource_MISCWEB
- github.com/strapi/strapi/releases/tag/v4.1.10ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.