cvedb.io
CVE-2023-22893
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2023-04-19T16:15:07.253 · Last modified 2026-06-17T05:36:22.280

Summary

Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication.

Affected products

strapi — strapi

Does this affect you?

Add your gear to cvedb and we'll alert you only when strapi ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.