CVE-2026-22599
Strapi Vulnerable to SQL Injection in Content Type Builder
描述
### Summary of CVE-2026-22599 Vulnerability Details - CVE: CVE-2026-22599 - CVSS v3.1 Vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N` (9.3 — Critical) - Affected Versions: `@strapi/content-type-builder` <=5.33.1 (v5), `@strapi/plugin-content-type-builder` <=4.26.0 (v4) - How to Patch: Immediately update your Strapi to >=5.33.2 (v5) or >=4.26.1 (v4) ### Description of CVE-2026-22599 A database-query injection vulnerability existed in the Strapi Content-Type Builder write API. An authenticated administrator could inject arbitrary database statements through the `column.defaultTo` attribute when creating or modifying a content type. Setting `defaultTo` as a tuple `[value, { isRaw: true }]` caused the value to be passed directly into Knex's `db.connection.raw()` during schema migration without sanitization, allowing arbitrary statement execution at the database layer. Depending on the database engine, this enabled arbitrary file read via database utility functions, denial of service via forced server crash on schema-migration error, and on engines that permit external program execution, remote code execution against the database server. The patch addresses this by restricting all Content-Type Builder write APIs to development mode only. Production deployments running v5.33.2 or later return 404 for requests against `/content-type-builder/content-types` and related endpoints, removing the network-reachable attack surface entirely. ### IoC's for CVE-2026-22599 Indicators that an instance running an unpatched version may have been exploited: - HTTP access logs containing POST or PUT requests to `/content-type-builder/content-types` from a non-internal source. Regex pattern: `(POST|PUT)\s+/content-type-builder/` - Database server logs containing unexpected DEFAULT clause values that reference filesystem-access or program-execution helper functions of your database engine - Strapi server crashes immediately following a content-type creation or update, observed as the Node process exiting during the schema-migration step - Files appearing under unexpected paths on the database host that match content-type DEFAULT values from the application - Newly-created content-types named or shaped to extract specific data (attribute names like `passwd`, `etc`, `env`, `config`)
如何修補 CVE-2026-22599
要修補 CVE-2026-22599,請將受影響套件升級到下列已修補版本。
- —升級至 5.33.2 或更新版本