Description
Strapi through 4.5.6 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication.
Recommendation
Update the @strapi/plugin-users-permissions package to the latest compatible version. Followings are version details:
- Affected version(s): >= 3.2.1, < 4.6.0
- Patched version(s): 4.6.0
References
Related Issues
- @strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass - CVE-2024-34065
- Strapi Improper Rate Limiting vulnerability - @strapi/plugin-users-permissions - CVE-2023-38507
- Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying - CVE-2025-64526
- Strapi: Password Reset Does Not Revoke Existing Refresh Sessions - @strapi/plugin-users-permissions - CVE-2026-22706
You might also like:
- Tags:
- npm
- @strapi/plugin-users-permissions
Anything's wrong? Let us know Last updated on April 19, 2023