Strapi

v5.47.0 Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 6d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

api cms cms-framework content-management content-management-system customizable

+12 more

web graphql headless-cms jamstack javascript mysql no-code nodejs posgresql rest strapi typescript

ReleasePort's take

Light signal

editorial:auto 6d

Strapi v5.47.0 adds BETA MCP server support and a publicationFilter parameter to REST/document services while removing the adminTokens future flag.

Why it matters: The removal of the adminTokens future flag (severity 40) requires operators to adjust authentication configurations before upgrade; new filtering capabilities enhance query flexibility.

Summary

AI summary

Updates ❤️ Thank You, 🔥 Bug fix, and ⚙️ Chore across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Low	Adds BETA MCP server support. Adds BETA MCP server support. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Low	Adds publicationFilter param to REST and document service. Adds publicationFilter param to REST and document service. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Low	Inherits publicationFilter into populated relations for GraphQL queries. Inherits publicationFilter into populated relations for GraphQL queries. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—
Deprecation	Medium	Removes adminTokens future flag. Removes adminTokens future flag. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix
Bugfix	Medium	Fixes relation search in nested components. Fixes relation search in nested components. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Fixes inability to access content manager page with required and private routes. Fixes inability to access content manager page with required and private routes. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Gates expiresIn deprecation on user auth options in admin. Gates expiresIn deprecation on user auth options in admin. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Redirects active tab to login on session expiry in admin. Redirects active tab to login on session expiry in admin. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Prevents serving extensionless admin paths as static files. Prevents serving extensionless admin paths as static files. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Prevents content history crash when relations are deleted. Prevents content history crash when relations are deleted. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Preserves createdBy/updatedBy fields on drafts after discard-drafts migration. Preserves createdBy/updatedBy fields on drafts after discard-drafts migration. Source: llm_adapter@2026-05-28 Confidence: high	—
Refactor	Low	Changes codeBlockValidator to use language instead of syntax. Changes codeBlockValidator to use language instead of syntax. Source: granite4.1:30b@2026-05-28-audit Confidence: low	—

Full changelog

5.47.0 (2026-05-28)

🚀 New feature

BETA: MCP server (#26371)
publicationFilter param in REST and document service (#25793)
admin-tokens: remove adminTokens future flag (#26391)
admin: add documentation helper link in HeaderLayout (#26422)

🔥 Bug fix

Relation Search in Nested Components (#26023)
unable to access content manager page with required and private … (#24101)
admin: gate expiresIn deprecation on user auth options (#26298)
admin: redirect active tab to login on session expiry (#26165)
admin: avoid serving extensionless admin paths as static files (#26368)
content-manager: content history crash on deleted relations (#26245)
core: preserve createdBy/updatedBy on drafts created by discard-drafts migration (#26461)
core/core: codeBlockValidator uses language instead of syntax (#26392)
graphql: inherit publicationFilter into populated relations (#26400)

⚙️ Chore

dedupe yarn.lock file (#26376)
fix dependabot cooldown config for github-actions (#26438)
ci: improve dependabot security grouping and version update policy (#26408)
commitlint: disable body-max-line-length rule (#26406)
deps: bump simple-git from 3.32.3 to 3.36.0 (#26220)
deps: bump sanitize-html from 2.13.0 to 2.17.4 (#26342)
deps: bump ws from 8.17.1 to 8.20.1 in @strapi/data-transfer (#26379)
examples: remove sdk-plugin from todo-example plugin (#26341)
strapi: upgrade webpack ecosystem dependencies (#26385)

💅 Enhancement

db: migration performance improvements (#25988)
provider-amazon-ses: replace node-ses with AWS SDK SESClient (#26054)
i18n: update and create Slovak translations (#25831)

❤️ Thank You

Adrien L @Adzouz
Andrei L @unrevised6419
Arav Menon @Arav-Menon
bartsmartshore @bartsmartshore
Bassel Kanso @Bassel17
Ben Irvin
Dhruv Chheda @chhedadhruv
DMehaffy
Filip Ónodi @fonodi
Nico André
Sjouke de Vries @sjoukedv
Vishal Kumar Singh @singhvishalkr

Breaking Changes

Removed the `adminTokens` future flag configuration.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Strapi

Get notified when new releases ship.

About Strapi

The most advanced open-source Content Management Framework (headless-CMS) to build powerful API with no effort.