CVE-2026-22599
Description
Strapi is an open source headless content management system. In versions on the 4.x branch prior to 4.26.1 and on the 5.x branch prior to 5.33.2, a database-query injection vulnerability existed in the Strapi Content-Type Builder write API. An authenticated administrator could inject arbitrary database statements through the column.defaultTo attribute when creating or modifying a content type. Setting defaultTo as a tuple [value, { isRaw: true }] caused the value to be passed directly into Knex's db.connection.raw() during schema migration without sanitization, allowing arbitrary statement execution at the database layer. Depending on the database engine, this enabled arbitrary file read via database utility functions, denial of service via forced server crash on schema-migration error, and on engines that permit external program execution, remote code execution against the database server. The patch in versions 4.26.1 and 5.33.2 addresses this by restricting all Content-Type Builder write APIs to development mode only. Production deployments running v5.33.2 or later return 404 for requests against /content-type-builder/content-types and related endpoints, removing the network-reachable attack surface entirely.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@strapi/content-type-buildernpm | >= 5.0.0, < 5.33.2 | 5.33.2 |
@strapi/plugin-content-type-buildernpm | >= 4.0.0, < 4.26.1 | 4.26.1 |
Affected products
4- ghsa-coords2 versions
>= 5.0.0, < 5.33.2+ 1 more
- (no CPE)range: >= 5.0.0, < 5.33.2
- (no CPE)range: >= 4.0.0, < 4.26.1
Patches
Vulnerability mechanics
References
5- github.com/strapi/strapi/releases/tag/v4.26.1nvdPatchProductWEB
- github.com/strapi/strapi/releases/tag/v5.33.2nvdPatchProductWEB
- github.com/advisories/GHSA-3xcq-8mjw-h6mxghsaADVISORY
- github.com/strapi/strapi/security/advisories/GHSA-3xcq-8mjw-h6mxnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-22599ghsaADVISORY
News mentions
0No linked articles in our index yet.