Strapi Allows Unauthorized Access to Private Fields via parms.lookup
Description
Strapi is an open-source headless content management system. In versions from 5.0.0 to before 5.5.2, the lookup operator provided by the document service does not properly sanitize query parameters for private fields. An attacker can access private fields, including admin passwords and reset tokens, by crafting queries with the lookup parameter. This vulnerability is fixed in 5.5.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Strapi 5.0.0–5.5.1 exposes private fields (admin passwords, reset tokens) via unsanitized lookup operator in document service; fixed in 5.5.2.
Vulnerability
Overview
The lookup operator introduced in Strapi 5's document service fails to sanitize query parameters for private fields. This allows an attacker to filter database queries using sensitive attributes such as admin password hashes and password reset tokens, which should never be exposed through the public API [1][4].
Exploitation
An attacker with access to the Strapi API (e.g., an authenticated user with list-view permissions) can craft a request containing a lookup parameter targeting private fields. For example, appending &lookup[updatedBy][password][$startsWith]=$2 to a URL filters entries based on whether the admin's password hash starts with $2, enabling enumeration of password hashes character by character [4]. No special privileges beyond basic API access are required to exploit this flaw.
Impact
Successful exploitation allows an attacker to extract admin password hashes and reset tokens, potentially leading to full account takeover of administrative users. With admin access, the attacker can modify content, create new users, and compromise the entire Strapi instance [1][4].
Mitigation
The vulnerability is fixed in Strapi version 5.5.2. The fix removes the lookup parameter from public API calls and throws a ValidationError if it is supplied, ensuring it can only be used internally [3][4]. Users are strongly advised to upgrade to 5.5.2 or later.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@strapi/corenpm | >= 5.0.0, < 5.5.2 | 5.5.2 |
Affected products
2- strapi/strapiv5Range: >= 5.0.0, < 5.5.2
Patches
10c6e0953ae1efix: remove lookup param from doc service
3 files changed · +23 −1
packages/core/core/src/services/document-service/draft-and-publish.ts+1 −0 modified@@ -70,6 +70,7 @@ const statusToLookup: TransformWithContentType = (contentType, params) => { return params; } + // @ts-expect-error: we need to create a different typing for internal params const lookup = params.lookup || {}; switch (params?.status) {
packages/core/core/src/services/document-service/repository.ts+6 −1 modified@@ -1,6 +1,6 @@ import { omit, assoc, merge, curry } from 'lodash/fp'; -import { async, contentTypes as contentTypesUtils, validate } from '@strapi/utils'; +import { async, contentTypes as contentTypesUtils, validate, errors } from '@strapi/utils'; import { UID } from '@strapi/types'; import { wrapInTransaction, type RepositoryFactoryMethod } from './common'; @@ -48,6 +48,11 @@ export const createContentTypeRepository: RepositoryFactoryMethod = ( await validators.validateFields(ctx, params.fields, fieldValidations); await validators.validatePopulate(ctx, params.populate, populateValidations); + // Strip lookup from params, it's only used internally + if (params.lookup) { + throw new errors.ValidationError("Invalid params: 'lookup'"); + } + // TODO: add validate status, locale, pagination return params;
tests/api/core/strapi/document-service/validation/validation.test.api.ts+16 −0 modified@@ -250,5 +250,21 @@ describe('Document Service Validations', () => { ).rejects.toThrow(errors.ValidationError); }); }); + + /** + * Lookup is an internal parameter used to filter by locale and status. + * It should not be exposed to the public API. + */ + describe('lookup', () => { + it('should throw ValidationError', async () => { + await expect( + strapi.documents(ARTICLE_UID)[methodName]({ + lookup: { + title: 'Hello World', + }, + }) + ).rejects.toThrow(errors.ValidationError); + }); + }); }); });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-495j-h493-42q2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-56143ghsaADVISORY
- github.com/strapi/strapi/commit/0c6e0953ae1e62afae9329de7ae6d6a5e21b95b8ghsax_refsource_MISCWEB
- github.com/strapi/strapi/security/advisories/GHSA-495j-h493-42q2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.