Description
Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks through features that issue external fetches. This vulnerability is fixed in 6.21.1.
Published: 2026-06-24
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ghost versions 6.0.9 through 6.21.0 perform outbound HTTP requests after checking that the destination is not a private IP address. An attacker can use DNS rebinding to make that check fail, causing Ghost to reach arbitrary internal hosts via its external‑fetch features. The result is that the server can expose or exfiltrate data from internal services. This flaw maps to CWE‑918 and the underlying DNS rebinding weakness described by CWE‑367. The issue was addressed in 6.21.1.

Affected Systems

The affected product is TryGhost Ghost CMS. Versions from 6.0.9 through 6.21.0 are vulnerable, with the fix delivered in 6.21.1.

Risk and Exploitability

The CVSS score is 4, indicating a moderate risk. No EPSS score is currently available and the vulnerability is not listed in the CISA KEV catalog. The attack still requires that the attacker can influence Ghost to perform an outbound request, such as by submitting a crafted URL or triggering a content source fetch. The DNS rebinding bypass removes the private‑IP check, effectively turning Ghost into a proxy for internal network access.

Generated by OpenCVE AI on June 24, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ghost installation to version 6.21.1 or later, which contains the private IP validation fix.
  • Restrict or disable Ghost’s outbound request handling for untrusted URLs, and enforce a strict whitelist of allowable external domains.
  • If an upgrade cannot be performed immediately, block internal IP ranges from Ghost’s outbound fetch routes via firewall or server configuration, and review any custom code that may trigger external requests.

Generated by OpenCVE AI on June 24, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Ghost
Ghost ghost
Vendors & Products Ghost
Ghost ghost

Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks through features that issue external fetches. This vulnerability is fixed in 6.21.1.
Title Ghost: Server-side request forgery via DNS rebinding in external request handling
Weaknesses CWE-367
CWE-918
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T15:38:22.262Z

Reserved: 2026-06-11T15:50:01.281Z

Link: CVE-2026-53945

cve-icon Vulnrichment

Updated: 2026-06-25T15:38:08.943Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition

  • CWE-918

    Server-Side Request Forgery (SSRF)