Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-a54s-xn6b-eycd
Vulnerability ID VCID-a54s-xn6b-eycd
Aliases CVE-2024-29181
GHSA-6j89-frxc-q26m
Summary @strapi/plugin-content-manager leaks data via relations via the Admin Panel 1. If a super admin creates a collection where an item in the collection has an association to another collection, a user with the Author Role can see the list of associated items they did not create. They should only see their own items that they created, not all items ever created.
Status Published
Exploitability 0.5
Weighted Severity 2.7
Risk 1.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-639 Authorization Bypass Through User-Controlled Key
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00433 https://api.first.org/data/v1/epss?cve=CVE-2024-29181
epss 0.00433 https://api.first.org/data/v1/epss?cve=CVE-2024-29181
epss 0.00433 https://api.first.org/data/v1/epss?cve=CVE-2024-29181
cvssv3.1_qr LOW https://github.com/advisories/GHSA-6j89-frxc-q26m
cvssv3.1 2.3 https://github.com/strapi/strapi
generic_textual LOW https://github.com/strapi/strapi
cvssv3.1 2.3 https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6
generic_textual LOW https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6
ssvc Track https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6
cvssv3.1 2.3 https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m
cvssv3.1_qr LOW https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m
generic_textual LOW https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m
ssvc Track https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m
cvssv3.1 2.3 https://nvd.nist.gov/vuln/detail/CVE-2024-29181
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2024-29181
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-29181
https://github.com/strapi/strapi
https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6
CVE-2024-29181 https://nvd.nist.gov/vuln/detail/CVE-2024-29181
GHSA-6j89-frxc-q26m https://github.com/advisories/GHSA-6j89-frxc-q26m
GHSA-6j89-frxc-q26m https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m
No exploits are available.
Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/strapi/strapi
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:34:46Z/ Found at https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6
Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-12T15:34:46Z/ Found at https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m
Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-29181
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.63077
EPSS Score 0.00433
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:21:57.169548+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@strapi/plugin-content-manager/CVE-2024-29181.yml 38.6.0