Ghost’s staff token authentication mechanism was inadvertently allowing certain administrative endpoints to be reached by any user possessing a staff token, regardless of the token’s intended session context. This bypass enabled users authenticated through staff tokens with Admin or Owner roles to call APIs that were only meant for session-based staff users, effectively granting them elevated privileges and the ability to perform actions normally restricted to privileged sessions. The vulnerability is a classic role-based privilege escalation flaw (CWE-863). It does not enable arbitrary code execution, but it does expose sensitive management functionality to unauthorized API callers.

The vulnerability affects the Ghost content management system (Node.js) versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3. The issue was rectified in Ghost 5.130.6 and 6.11.0; newer releases beyond these commits incorporate the fix. System administrators should verify that the hosting platform is running a patched Ghost instance from at least these version thresholds.

The CVSS score of 8.1 signals a high-severity flaw that threatens confidentiality, integrity, and availability of the administrative functions. However, the EPSS score is reported as less than 1%, indicating a very low probability of exploitation in the wild. The vulnerability is not currently listed in CISA’s KEV catalog. Attackers would need to obtain a valid staff token for a user with Admin/Owner role, which could occur through credential compromise or social engineering. Once a token is in hand, the bypass is straightforward and can be repeated against any protected endpoint.