Login Sign Up

CVE-2021-46440

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Strapi's DOCUMENTATION plugin stores passwords in a recoverable format (base64 encoded in cookies). Attackers who intercept HTTP requests can decode cookies to obtain cleartext passwords, potentially gaining API documentation access for further attacks. Affects Strapi users with the documentation plugin enabled.

💻 Affected Systems

Products:
  • Strapi
Versions: Strapi < 3.6.9, Strapi 4.x < 4.1.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires DOCUMENTATION plugin to be enabled and accessible.

📦 What is this software?

Strapi by Strapi

View all CVEs affecting Strapi →

Strapi by Strapi

View all CVEs affecting Strapi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain administrative credentials, access sensitive API documentation, perform API attacks leading to data breach or system compromise.

🟠

Likely Case

Attackers gain limited API documentation access, potentially discovering other vulnerabilities or sensitive endpoints.

🟢

If Mitigated

With proper network controls and updated versions, risk is limited to authenticated sessions only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires intercepting HTTP requests/cookies; base64 decoding is trivial.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Strapi 3.6.9, Strapi 4.1.5

Vendor Advisory: https://github.com/strapi/strapi/pull/12246

Restart Required: Yes

Instructions:

1. Update Strapi to version 3.6.9 or 4.1.5 or later. 2. Restart the Strapi service. 3. Regenerate all user sessions/cookies.

🔧 Temporary Workarounds

Disable DOCUMENTATION plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

Edit Strapi config to disable documentation plugin

Implement HTTPS and secure cookies

all

Enforce HTTPS and secure cookie attributes to prevent interception.

Configure Strapi to use HTTPS only
Set cookie security flags: Secure, HttpOnly

🧯 If You Can't Patch

  • Restrict access to documentation endpoints using network ACLs or WAF rules.
  • Implement session monitoring and alert on unusual cookie access patterns.

🔍 How to Verify

Check if Vulnerable:

Check Strapi version and if documentation plugin is enabled; versions <3.6.9 or 4.x <4.1.5 are vulnerable.

Check Version:

strapi version

Verify Fix Applied:

Confirm Strapi version is >=3.6.9 or >=4.1.5 and test that cookies no longer contain base64-encoded passwords.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access to documentation endpoints
  • Multiple failed authentication attempts followed by documentation access

Network Indicators:

  • HTTP requests with base64-encoded cookie values being intercepted

SIEM Query:

source="strapi" AND (uri="/documentation" OR cookie="*base64*")

📊 Metadata

CVE ID: CVE-2021-46440
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-522
Published: May 3, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46440, you might also want to check these:

CVE-2024-51545 10.0

This CVE describes a username enumeration vulnerability in ABB industrial control system products th...

Same vulnerability type (CWE-522)
CVE-2021-30116 10.0

CVE-2021-30116 is an authentication bypass vulnerability in Kaseya VSA that allows unauthenticated a...

Same vulnerability type (CWE-522)
CVE-2025-0867 9.9

This vulnerability allows standard users to execute commands with administrative privileges through ...

Same vulnerability type (CWE-522)