Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-u4r4-vdw1-hkd7
Vulnerability ID VCID-u4r4-vdw1-hkd7
Aliases CVE-2023-22893
GHSA-583x-23h9-f5w7
Summary Improper Authentication Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication.
Status Published
Exploitability 0.5
Weighted Severity 0.5
Risk 0.2
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-287 Improper Authentication
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.50773 https://api.first.org/data/v1/epss?cve=CVE-2023-22893
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-583x-23h9-f5w7
generic_textual MODERATE https://github.com/strapi/strapi
generic_textual MODERATE https://github.com/strapi/strapi/blob/v4.5.6/packages/plugins/users-permissions/server/services/providers-registry.js
generic_textual MODERATE https://github.com/strapi/strapi/commit/46f8f98378338f18b5c6139d0157a8f71bf4de83
generic_textual MODERATE https://github.com/strapi/strapi/commit/8bbbd7383a20bb7cb163c8b462baffee559e994f
generic_textual MODERATE https://github.com/strapi/strapi/commit/eeab43b57707d7ef275076d27be6eabc72bd71a7
cvssv3.1 8.2 https://github.com/strapi/strapi/releases
generic_textual MODERATE https://github.com/strapi/strapi/releases
ssvc Track https://github.com/strapi/strapi/releases
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-22893
cvssv3.1 8.2 https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve
generic_textual MODERATE https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve
ssvc Track https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve
generic_textual MODERATE https://www.ghostccamm.com/blog/multi_strapi_vulns
cvssv3.1 8.2 https://www.ghostccamm.com/blog/multi_strapi_vulns/
ssvc Track https://www.ghostccamm.com/blog/multi_strapi_vulns/
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-22893
https://github.com/strapi/strapi
https://github.com/strapi/strapi/blob/v4.5.6/packages/plugins/users-permissions/server/services/providers-registry.js
https://github.com/strapi/strapi/commit/46f8f98378338f18b5c6139d0157a8f71bf4de83
https://github.com/strapi/strapi/commit/8bbbd7383a20bb7cb163c8b462baffee559e994f
https://github.com/strapi/strapi/commit/eeab43b57707d7ef275076d27be6eabc72bd71a7
https://github.com/strapi/strapi/releases
https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve
https://www.ghostccamm.com/blog/multi_strapi_vulns
https://www.ghostccamm.com/blog/multi_strapi_vulns/
CVE-2023-22893 https://nvd.nist.gov/vuln/detail/CVE-2023-22893
GHSA-583x-23h9-f5w7 https://github.com/advisories/GHSA-583x-23h9-f5w7
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://github.com/strapi/strapi/releases
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T16:39:39Z/ Found at https://github.com/strapi/strapi/releases
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T16:39:39Z/ Found at https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://www.ghostccamm.com/blog/multi_strapi_vulns/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T16:39:39Z/ Found at https://www.ghostccamm.com/blog/multi_strapi_vulns/
Exploit Prediction Scoring System (EPSS)
Percentile 0.97904
EPSS Score 0.50773
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T21:00:23.630182+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/strapi/CVE-2023-22893.yml 38.6.0