Description
Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0.
Published: 2026-01-10
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: 2FA bypass enabling staff login without email verification
Action: Immediate Patch
AI Analysis

Impact

Ghost, a Node.js content management system, suffers from a flaw in its two‑factor authentication mechanism that lets staff users bypass the required email verification. This is an improper authentication vulnerability (CWE‑287) that could allow an attacker to gain staff‑level access without a second factor, compromising the confidentiality, integrity, and availability of the system.

Affected Systems

The vulnerability affects TryGhost’s Ghost CMS. Affected releases include versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3. Patching to 5.130.6 or higher, or 6.11.0 or higher, removes the flaw.

Risk and Exploitability

The CVSS score is 8.1, indicating a high severity flaw. The EPSS score is below 1 %, suggesting a low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote via the web interface, where an attacker possessing a staff account or credentials can skip the 2FA step to gain elevated privileges. Because no additional exploit conditions are noted, the risk is primarily moderated by the need for pre‑existing staff credentials or the ability to compromise them first.

Generated by OpenCVE AI on April 18, 2026 at 07:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ghost to version 5.130.6 or later 6.11.0 to receive the 2FA fix.
  • Temporarily disable all staff accounts or dh new 2FA‑protected accounts until the patch is applied, preventing unauthenticated staff logins.
  • After applying the patch, re‑enable 2FA for staff, review audit logs for suspicious logins, and tighten staff access controls.

Generated by OpenCVE AI on April 18, 2026 at 07:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5fp7-g646-ccf4 Ghost has Staff 2FA bypass
History

Thu, 15 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*

Mon, 12 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Ghost
Ghost ghost
Vendors & Products Ghost
Ghost ghost

Sat, 10 Jan 2026 03:15:00 +0000

Type Values Removed Values Added
Description Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0.
Title Ghost has Staff 2FA bypass
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Ghost Ghost
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T17:53:57.181Z

Reserved: 2026-01-07T21:50:39.532Z

Link: CVE-2026-22594

cve-icon Vulnrichment

Updated: 2026-01-12T17:53:51.563Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T03:15:50.400

Modified: 2026-01-15T18:12:10.990

Link: CVE-2026-22594

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses