Strapi: Password Reset Does Not Revoke Existing Refresh Sessions - @strapi/plugin-users-permissions

Description

No description available.

Recommendation

Update the @strapi/plugin-users-permissions package to the latest compatible version. Followings are version details:

• Affected version(s): <= 5.33.2
• Patched version(s): 5.33.3

References

• GHSA-hvp3-26wx-g2w4
• CVE-2026-22706
• CWE-613
• CAPEC-310
• OWASP 2021-A6
• OWASP 2021-A7

Related Issues

• Strapi: Password Reset Does Not Revoke Existing Refresh Sessions - CVE-2026-22706
• Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin - CVE-2023-22621
• Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying - CVE-2025-64526
• SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover - CVE-2026-44648

You might also like:

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

@strapi/plugin-users-permissions