External risk intelligence

Strapi could allow external attackers to take over administrative accounts.

Strapi could allow external attackers to take over administrative accounts, potentially exposing administrative credentials and the integrity of your operational systems. This flaw allows them to bypass security controls via public APIs. No active exploitation is currently reported.

NVD published May 14, 2026 (14 hours ago)

External risk briefCRITICAL

CVE-2026-27886

Halo Surface Signal

4/ 5

Strapi is a headless content management system designed to provide web-accessible APIs. These APIs are frequently deployed as public-facing services to deliver content to external websites and applications, making the vulnerable endpoints commonly exposed to the internet in standard real-world deployments.

Exposure facts

CVSS

9.2

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

H – Horizon Alert

We have identified a security vulnerability in the Strapi content management system where inadequate input sanitization could allow unauthorized access to sensitive administrative data. By exploiting how the system processes specific search queries, an unauthenticated attacker could potentially execute an administrative account takeover. This issue represents a significant business concern, as it enables external parties to bypass established security controls and gain full administrative control over the platform.

A – Asset Exposure

Organizations using the Strapi content management system may be affected if they provide public access to content APIs. Because these APIs are often internet-facing, external attackers could potentially exploit this weakness to gain admin access to your platform. By manipulating specific query parameters, unauthorized parties could extract sensitive information, potentially leading to the compromise of administrative credentials. This exposure poses a direct risk to the integrity of your operational systems and the security of your account management.

L – Live Threat

This vulnerability concerns a flaw in how query parameters are processed, which could theoretically allow an unauthorized individual to infer sensitive administrative data. However, the available context does not indicate active exploitation or observed targeting of this vulnerability. There are currently no reports of public exploit activity associated with this issue.

O – Operational Fix

Please prioritize updating your Strapi deployment to the latest available release. This update implements new security primitives that properly validate and sanitize API query parameters, closing the gap that previously allowed unauthorized access to administrative user data. We recommend that your technical team applies this patch across all environments to secure your public-facing APIs and ensure robust data protection.

References

github.com/strapi/strapi/security/advisories/GHSA-rjg2-95x7-8qmx