CVE-2023-22894
Description
Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Strapi through 4.5.5 leaks sensitive user details, including password hashes and reset tokens, via query filter exploitation by authenticated admin panel users.
Vulnerability
Overview
CVE-2023-22894 is an information disclosure vulnerability affecting Strapi versions through 4.5.5. The vulnerability arises because the API query filtering mechanism fails to restrict access to private fields (e.g., passwordHash, resetPasswordToken). An attacker with valid admin panel access can craft filter queries against user endpoints to enumerate and infer values for these sensitive columns based on API response differences, leaking confidential user data [1] [4].
Exploitation
Prerequisites and Method
Exploitation requires an authenticated session with the Strapi admin panel. If the attacker holds a super admin role, they can directly filter on any column, including those containing password hashes and reset tokens for all users [2] [4]. For lower-privileged admin roles (e.g., with access only to usernames and emails of API users), the attacker can still leverage the filter to extract sensitive information of API users by iterating through valid values and observing the response, thereby inferring data from private fields [4]. No additional privileges are needed beyond the initial admin access.
Potential
Impact
Successful exploitation enables the attacker to obtain highly sensitive information: password hashes (potentially crackable offline) and password reset tokens for all users (if super admin) or API user population (if lower role). With a reset token, the attacker could hijack user accounts without knowing the current password. This can be chained with other vulnerabilities like CVE-2023-22621 (SSTI to RCE) to escalate from information disclosure to full remote code execution as an unauthenticated user on versions <=4.5.5 [1] [2].
Mitigation
Status
Strapi patched this vulnerability in version 4.5.6. Users are strongly advised to upgrade to at least 4.5.6, and preferably to a later stable release (e.g., 4.8.0 or newer) where additional security fixes are included [2] [3]. There is no workaround short of upgrading. Versions 3.x.x are end-of-life and no longer receive security updates, so migration to a supported 4.x.x release is critical [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@strapi/strapinpm | >= 3.2.1, < 4.8.0 | 4.8.0 |
Affected products
2- Strapi/Strapidescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-jjqf-j4w7-92w8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-22894ghsaADVISORY
- github.com/strapi/strapi/releases/tag/v4.8.0ghsaWEB
- github.com/strapi/strapi/security/advisories/GHSA-jjqf-j4w7-92w8ghsaWEB
- strapi.io/blog/security-disclosure-of-vulnerabilities-cveghsaWEB
- www.ghostccamm.com/blog/multi_strapi_vulnsghsaWEB
- www.ghostccamm.com/blog/multi_strapi_vulns/mitre
News mentions
0No linked articles in our index yet.