Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/%40strapi/plugin-users-permissions@3.2.1
purl pkg:npm/%40strapi/plugin-users-permissions@3.2.1
Tags Ghost
Next non-vulnerable version 4.24.2
Latest non-vulnerable version 5.45.0
Risk 4.0
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-1nkk-pvsd-x7dn
Aliases:
CVE-2023-22893
GHSA-583x-23h9-f5w7
Improper Authentication Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication.
4.6.0
Affected by 3 other vulnerabilities.
VCID-crp3-d3de-6uhk
Aliases:
GHSA-xv3q-jrmm-4fxv
GMS-2023-1157
Authentication Bypass in @strapi/plugin-users-permissions Strapi through 4.5.6 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication.
4.6.0
Affected by 3 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-02T04:44:35.125943+00:00 GitLab Importer Affected by VCID-1nkk-pvsd-x7dn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@strapi/plugin-users-permissions/CVE-2023-22893.yml 38.6.0
2026-06-02T04:44:34.676156+00:00 GitLab Importer Affected by VCID-crp3-d3de-6uhk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@strapi/plugin-users-permissions/GMS-2023-1157.yml 38.6.0