Login Sign Up

CVE-2021-28128

8.1 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Strapi allows attackers who have obtained a valid session to change a user's password without providing the current password. This enables account takeover attacks where attackers can lock out legitimate users and gain persistent access. All Strapi deployments up to version 3.6.0 are affected.

💻 Affected Systems

Products:
  • Strapi
Versions: through 3.6.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable. The vulnerability exists in the admin panel functionality.

📦 What is this software?

Strapi by Strapi

View all CVEs affecting Strapi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of admin accounts leading to full system control, data exfiltration, and privilege escalation across the entire Strapi instance.

🟠

Likely Case

Account takeover of individual users, potentially including administrators, leading to unauthorized content changes, data access, and persistence in the system.

🟢

If Mitigated

Limited impact with proper session management, strong authentication controls, and network segmentation preventing unauthorized access to admin panels.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires a valid session cookie. Attack chain typically involves session hijacking, XSS, or other methods to obtain valid authentication tokens.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.1 and later

Vendor Advisory: https://strapi.io/changelog

Restart Required: Yes

Instructions:

1. Backup your Strapi instance and database. 2. Update Strapi to version 3.6.1 or later using npm update strapi@latest. 3. Restart the Strapi service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Session Management Hardening

all

Implement strict session management controls including short session timeouts, secure cookie attributes, and IP binding.

Admin Panel Access Restriction

all

Restrict access to the admin panel (/admin) using network controls or web application firewalls.

🧯 If You Can't Patch

  • Implement multi-factor authentication for all admin accounts
  • Monitor for suspicious password change events in application logs

🔍 How to Verify

Check if Vulnerable:

Check Strapi version in package.json or via strapi version command. If version is 3.6.0 or earlier, the system is vulnerable.

Check Version:

strapi version

Verify Fix Applied:

After updating, verify the password change functionality now requires current password entry. Test with a non-admin account.

📡 Detection & Monitoring

Log Indicators:

  • Password change events without current password verification
  • Multiple failed login attempts followed by successful password change
  • Admin panel access from unusual IP addresses

Network Indicators:

  • HTTP POST requests to /admin/users-permissions/users/:id without currentPassword parameter
  • Unusual patterns of admin panel access

SIEM Query:

source="strapi" AND (event="password_change" AND NOT current_password_verified="true")

📊 Metadata

CVE ID: CVE-2021-28128
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-640
Published: May 6, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28128, you might also want to check these:

CVE-2023-7028 10.0

This critical vulnerability in GitLab allows attackers to hijack user accounts by intercepting passw...

Same vulnerability type (CWE-640)
CVE-2025-63314 10.0

CVE-2025-63314 is a critical authentication bypass vulnerability in DDSN Interactive Acora CMS v10.7...

Same vulnerability type (CWE-640)
CVE-2021-22731 9.8

This vulnerability allows remote attackers to change passwords on Modicon Managed Switches without a...

Same vulnerability type (CWE-640)