Strapi

v5.46.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 14d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

api cms cms-framework content-management content-management-system customizable

+12 more

web graphql headless-cms jamstack javascript mysql no-code nodejs posgresql rest strapi typescript

Affected surfaces

deps

Summary

AI summary

Updates 🔥 Bug fix, ❤️ Thank You, and ⚙️ Chore across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Upgrade multiple dependencies for security vulnerabilities Upgrade multiple dependencies for security vulnerabilities Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature
Feature	Medium	Remove year 2041 limit on date/datetime pickers in admin Remove year 2041 limit on date/datetime pickers in admin Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	Inherit publication state for i18n localizations in graphql Inherit publication state for i18n localizations in graphql Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	Add assignee and review stage to list view filters in review-workflows Add assignee and review stage to list view filters in review-workflows Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Feature	Medium	Message when single stage in review-workflows Message when single stage in review-workflows Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Dependency
Dependency	Medium	Bump ip-address from 10.1.0 to 10.2.0 Bump ip-address from 10.1.0 to 10.2.0 Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Dependency	Medium	Bump @protobufjs/utf8 from 1.1.0 to 1.1.1 Bump @protobufjs/utf8 from 1.1.0 to 1.1.1 Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Dependency	Medium	Bump axios from 1.15.1 to 1.15.2 Bump axios from 1.15.1 to 1.15.2 Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Dependency	Medium	Bump fast-xml-builder from 1.1.4 to 1.2.0 Bump fast-xml-builder from 1.1.4 to 1.2.0 Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Dependency	Medium	Bump fast-uri from 3.0.1 to 3.1.2 Bump fast-uri from 3.0.1 to 3.1.2 Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Performance	Medium	Use pnpm install when project prefers pnpm in upgrade Use pnpm install when project prefers pnpm in upgrade Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Bugfix
Bugfix	Medium	Fix FK violation publishing self-relation parent & child in one release Fix FK violation publishing self-relation parent & child in one release Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Move session-manager JWT check from register to bootstrap Move session-manager JWT check from register to bootstrap Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Fix getMainField context for component list/edit configure views in content-manager Fix getMainField context for component list/edit configure views in content-manager Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Respect nested sort in populate for join-table relations in database Respect nested sort in populate for join-table relations in database Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	Guard inverseJoinColumn access in discard-drafts migration in migrations Guard inverseJoinColumn access in discard-drafts migration in migrations Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Refactor	Medium	Align scoped @strapi packages in devDependencies in upgrade Align scoped @strapi packages in devDependencies in upgrade Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Refactor	Medium	Migrate .eslintrc + .eslintignore to .eslintrc.cjs Migrate .eslintrc + .eslintignore to .eslintrc.cjs Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—

Full changelog

5.46.1 (2026-05-20)

🔥 Bug fix

FK violation publishing self-relation parent & child in one release (#26147)
move session-manager jwt check from register to bootstrap (#25412)
admin: remove year 2041 limit on date/datetime pickers (#26209)
content-manager: fix getMainField context for component list/edit configure views (#25509, #26124)
database: respect nested sort in populate for join-table relations (#26361)
graphql: inherit publication state for i18n localizations (#22163)
migrations: guard inverseJoinColumn access in discard-drafts migration (#26331)
review-workflows: add assignee and review stage to list view filters (#26171)
review-workflows: message when single stage (#26229)
upgrade: use pnpm install when project prefers pnpm (#26246)
upgrade: align scoped @strapi packages in devDependencies (#26248)

⚙️ Chore

sonarcloud security review (#25949)
deps: bump ip-address from 10.1.0 to 10.2.0 (#26222)
deps: bump @protobufjs/utf8 from 1.1.0 to 1.1.1 (#26311)
deps: bump axios from 1.15.1 to 1.15.2 (#26177)
deps: bump fast-xml-builder from 1.1.4 to 1.2.0 (#26253)
deps: bump fast-uri from 3.0.1 to 3.1.2 (#26254)
eslint: migrate .eslintrc + .eslintignore to .eslintrc.cjs (#26216)

🚨 Security

deps: upgrade multiple dependencies (#26326)

❤️ Thank You

Adrien L @Adzouz
Andrei L @unrevised6419
Ben Irvin
Garrett Heaver @garrettheaver
jmichalec-vl
Maksim Zhukau @MaksZhukov
Simen @Eventyret
Simon Norris @cache-your-dreams
Westley Marchment

Security Fixes

Upgraded multiple dependencies as part of a security review

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Strapi

Get notified when new releases ship.

About Strapi

The most advanced open-source Content Management Framework (headless-CMS) to build powerful API with no effort.