Strapi: Password Reset Does Not Revoke Existing Refresh Sessions — CVE-2026-22706

Summary

### Summary of CVE-2026-22706 Vulnerability Details - CVE: CVE-2026-22706 - CVSS v3.1 Vector: `CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N` (2.1 — Low) - Affected Versions: `@strapi/admin` and `@strapi/plugin-users-permissions` <=5.33.2 - How to Patch: Immediately update your Strapi to >=5.33.3 ### Description of CVE-2026-22706 In Strapi versions prior to 5.33.3, changing or resetting a user's…

Product

npm: @strapi/admin | npm: @strapi/plugin-users-permissions

What to do

General, cautious steps (verify details in the official source):

• Review exposure and plan remediation based on risk and environment.
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

• Read the official source
• CVE Record
• NVD

Related advisories