CVE-2026-22599— Strapi Vulnerable to SQL Injection in Content Type Builder
Possible ATT&CK Techniques 3AI
T1003 · OS Credential Dumping T1059 · Command and Scripting Interpreter T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 4
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| strapi | @strapi/content-type-builder | >= 5.0.0, < 5.33.2 | affected |
>= 4.0.0, < 4.26.1 | affected | ||
| strapi | strapi | >= 5.0.0, < 5.33.2 | affected |
>= 4.0.0, < 4.26.1 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-22599
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Strapi Vulnerable to SQL Injection in Content Type Builder
Source: NVD (National Vulnerability Database)
Vulnerability Description
Strapi is an open source headless content management system. In versions on the 4.x branch prior to 4.26.1 and on the 5.x branch prior to 5.33.2, a database-query injection vulnerability existed in the Strapi Content-Type Builder write API. An authenticated administrator could inject arbitrary database statements through the `column.defaultTo` attribute when creating or modifying a content type. Setting `defaultTo` as a tuple `[value, { isRaw: true }]` caused the value to be passed directly into Knex's `db.connection.raw()` during schema migration without sanitization, allowing arbitrary statement execution at the database layer. Depending on the database engine, this enabled arbitrary file read via database utility functions, denial of service via forced server crash on schema-migration error, and on engines that permit external program execution, remote code execution against the database server. The patch in versions 4.26.1 and 5.33.2 addresses this by restricting all Content-Type Builder write APIs to development mode only. Production deployments running v5.33.2 or later return 404 for requests against `/content-type-builder/content-types` and related endpoints, removing the network-reachable attack surface entirely.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Strapi SQL注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Strapi是法国strapi社区的一套开源的内容管理系统(CMS)。 Strapi 4.26.1之前版本和5.33.2之前版本存在SQL注入漏洞,该漏洞源于Content-Type Builder写入API中数据库查询注入,可能导致经过身份验证的管理员通过column.defaultTo属性注入任意数据库语句,从而根据数据库引擎实现任意文件读取、拒绝服务或远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| strapi | strapi | >= 5.0.0, < 5.33.2 | - | |
| strapi | @strapi/content-type-builder | >= 5.0.0, < 5.33.2 | - |
II. Public POCs for CVE-2026-22599
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-22599
请登录查看更多情报信息。
- https://github.com/strapi/strapi/releases/tag/v4.26.1x_refsource_MISC
- https://github.com/strapi/strapi/releases/tag/v5.33.2x_refsource_MISC
- https://github.com/strapi/strapi/security/advisories/GHSA-3xcq-8mjw-h6mxx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-22599
Same Patch Batch · strapi · 2026-05-14 · 5 CVEs total
| CVE-2026-22706 | Strapi: Password Reset Does Not Revoke Existing Refresh Sessions | |
| CVE-2026-22707 | Strapi Upload Plugin MIME Validation Bypass via Content API | |
| CVE-2026-27886 | Strapi may leak sensitive data via relational filtering due to lack of query sanitization | |
| CVE-2025-64526 | Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email k |
IV. Related Vulnerabilities
Same product: strapi
- CVE-2026-27886
Strapi may leak sensitive data via relational filtering due - CVE-2026-22707
Strapi Upload Plugin MIME Validation Bypass via Content API - CVE-2026-22706
Strapi: Password Reset Does Not Revoke Existing Refresh Sess - CVE-2025-64526
Strapi has a rate limit bypass on users-permissions plugin v - CVE-2025-53092
Strapi core vulnerable to sensitive data exposure via CORS m
Same vendor: strapi
- CVE-2026-27886
Strapi may leak sensitive data via relational filtering due - CVE-2026-22707
Strapi Upload Plugin MIME Validation Bypass via Content API - CVE-2026-22706
Strapi: Password Reset Does Not Revoke Existing Refresh Sess - CVE-2025-64526
Strapi has a rate limit bypass on users-permissions plugin v - CVE-2025-53092
Strapi core vulnerable to sensitive data exposure via CORS m
Same weakness: CWE-89
- CVE-2026-8724
Dataease Data Dashboard SqlparserUtils.java SqlparserUtils.t - CVE-2021-47980
Fuel CMS 1.4.13 Blind SQL Injection via col Parameter - CVE-2021-47956
EgavilanMedia PHPCRUD 1.0 SQL Injection via firstname - CVE-2021-47954
LayerBB 1.1.4 SQL Injection via search_query Parameter - CVE-2020-37244
WordPress Plugin Supsystic Membership 1.4.7 SQL Injection vi
V. Comments for CVE-2026-22599
No comments yet