## https://sploitus.com/exploit?id=5D9D0C87-A33C-5D49-A334-5304C1AF63BD
# CVE-2026-27886 Vulnerability Assessment Tool
Safely detect whether a [Strapi](https://strapi.io/) instance is vulnerable to CVE-2026-27886 without performing the full account-takeover chain. See the [full write-up](https://bishopfox.com/blog/cve-2026-27886-unauthenticated-boolean-oracle-exfiltration-of-administrator-secrets-in-strapi) on the Bishop Fox blog.
## Description
CVE-2026-27886 is an unauthenticated parameter sanitization bypass in Strapi versions 4.0.0 through 5.36.1 that allows remote, unauthenticated attackers to leak administrator secrets through the public Content API. The framework's query sanitizer in `@strapi/utils` processes only the documented `filters`, `sort`, `fields`, and `populate` query keys and silently preserves every other top-level key on the request. The unknown keys are then forwarded through `transformQueryParams` and land on `strapi.db.query(...)` as the SQL WHERE clause. By probing `where[updatedBy][resetPasswordToken][$startsWith]=` against any public Content API collection, an attacker can leak administrator secrets one character at a time through the response's `meta.pagination.total` field.
This tool performs non-destructive vulnerability testing by:
1. Sending a baseline `GET /api/`
2. Sending the same `GET` with `?where[id][$lt]=-1` appended
3. Comparing the two `meta.pagination.total` values to determine if the `where` clause reached the database layer
The `where[id][$lt]=-1` predicate cannot match any real row, so when the clause is honored at the database layer the response collapses to zero rows. When the patch is in place, the unknown `where` key is dropped by the sanitizer's allowlist before the query is built and the response is identical to the baseline. The probe never touches private admin columns and never modifies any data.
* **Vulnerable servers** return different totals: the baseline returns at least one row while the predicate request returns zero, because the `where` clause was honored at the database layer.
* **Patched servers** (Strapi 5.37.0 or later) return identical totals for both requests, because `sanitizeQuery` removes any unrecognized top-level keys before they reach the database.
* **Non-Strapi servers, unreachable endpoints, or empty collections** will report an `INCONCLUSIVE` result.
On a vulnerable server the tool then enumerates the administrator's email address character by character via `where[updatedBy][email][$startsWith]=`. It does **not** chain to administrator account takeover.
## Installation
```bash
git clone https://github.com/BishopFox/CVE-2026-27886-check
cd CVE-2026-27886-check
```
No external dependencies. The scanner uses only Python standard library modules.
## Usage
Test a Strapi server's public Content API collection endpoint. Strapi maps the content type's `pluralName` to the URL path, so the exact name varies by deployment.
```bash
python3 CVE-2026-27886-check.py
```
### Example: Vulnerable Server
```python
$ python3 CVE-2026-27886-check.py http://target.example.com/api/articles
[+] Target: http://target.example.com/api/articles
[+] Differential confirmed: baseline total=1, where-test total=0 -> VULNERABLE
[+] Enumerating admin email
admin email = admin@example.com
[+] Done. To remediate, upgrade to Strapi 5.37.0 or later.
```
### Example: Patched Server
```python
$ python3 CVE-2026-27886-check.py http://target.example.com/api/articles
[+] Target: http://target.example.com/api/articles
[+] Differential check: baseline total=1, where-test total=1 -> NOT VULNERABLE
```
## Preconditions
The tool can only detect the vulnerability if the following conditions are met:
* The target is running Strapi 4.0.0 through 5.36.1
* The Public role has been granted `find` on at least one content type
* At least one row in that content type has a non-NULL `updated_by_id`
* The target collection URL is reachable
If any condition isn't met, the tool will report an `INCONCLUSIVE` result.
## License
This code is distributed under an [MIT license](LICENSE).
## Legal Disclaimer
Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
## See Also
* [Strapi Security Advisory GHSA-rjg2-95x7-8qmx](https://github.com/strapi/strapi/security/advisories/GHSA-rjg2-95x7-8qmx)
* [Bishop Fox Blog: Full Technical Analysis](https://bishopfox.com/blog/cve-2026-27886-unauthenticated-boolean-oracle-exfiltration-of-administrator-secrets-in-strapi)
* [NVD โ CVE-2026-27886](https://nvd.nist.gov/vuln/detail/CVE-2026-27886)