v4.26.2 - Final Strapi 4 Release (EOL April 30, 2026)
This is the final release of Strapi 4, which reaches end-of-life on April 30th, 2026. It includes a critical security patch for relational filtering vulnerability (CVE-2026-27886), dependency updates, admin email validation enforcement, and Node.js 22 support. Users should migrate to Strapi 5.
⚠️ Note: This is the final Strapi 4 release ⚠️
No further updates to Strapi 4 will be published, this release serves as the final version of Strapi 4 which is considered EOL (End-Of-Life) as of April 30th, 2026. All Strapi users should migrate to Strapi 5: https://docs.strapi.io/cms/migration/v4-to-v5/introduction-and-faq
Also please note, this does include Strapi Customers as well. Strapi Cloud will still continue to function with Strapi 4 but that may be subject change in the near future without warning.
What's Changed
Security
- Fixed a critical vulnerability where relational filtering could expose sensitive data through insufficient query sanitization. See GHSA-rjg2-95x7-8qmx / CVE-2026-27886.
- Upgraded
tarto v7 to address security warnings. - Applied v4 dependency security and maintenance updates.
Fixes
- Enforced unique admin email validation when updating the authenticated user profile.
Compatibility
- Added Node.js 22 support for Strapi v4.
Full Changelog: v4.26.1...v4.26.2
Source: original entry ↗