Description
Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This vulnerability is fixed in 6.21.1.
Published: 2026-06-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw involves inconsistent responses from Ghost’s members signin endpoint when a magic link is requested. An unauthenticated attacker can submit arbitrary email addresses and observe differing responses that reveal whether the email is registered. This results in a member existence data leak, giving attackers knowledge of the site's user base. The vulnerability is classified as CWE‑204.

Affected Systems

Ghost, a Node.js content management system from TryGhost, is affected in versions 5.18.0 through 6.21.0 inclusive. Version 6.21.1 and later contain the fix. Any Ghost site that exposes the magic‑link signin endpoint to the public is at risk.

Risk and Exploitability

The CVSS score of 5.3 denotes moderate severity, focusing on information disclosure with no direct exploitation path. The EPSS score is not available, and the issue is not listed in CISA’s KEV catalog, indicating limited known exploitation. The likely attack vector is an unauthenticated HTTP request to the members login API, requiring no privileged access. An attacker could enumerate internal users and potentially launch credential‑guessing or phishing campaigns based on the disclosed membership information.

Generated by OpenCVE AI on June 24, 2026 at 19:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Ghost 6.21.1 or a later release that contains the fix.
  • If an immediate upgrade is not possible, restrict access to the magic‑link sign‑in endpoint by allowing only trusted networks or requiring authentication, for example with firewall or reverse‑proxy rules.
  • Consider disabling magic‑link sign‑in entirely for unauthenticated users until a patch is applied, and monitor the site for any suspicious enumeration activity.

Generated by OpenCVE AI on June 24, 2026 at 19:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Ghost
Ghost ghost
Vendors & Products Ghost
Ghost ghost

Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This vulnerability is fixed in 6.21.1.
Title Ghost: Member existence leak via magic link sign-in response
Weaknesses CWE-204
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T17:09:22.498Z

Reserved: 2026-06-11T15:50:01.281Z

Link: CVE-2026-53947

cve-icon Vulnrichment

Updated: 2026-06-25T17:09:17.344Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses
  • CWE-204

    Observable Response Discrepancy