Description
Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be partially bypassed, making it possible to reveal private fields via a brute force attack. If SQLite was used as the database password hashes were fully accessible. If MySQL was used as the database the password hashes' case (uppercase / lowercase) would have been lost, which would likely have rendered a further brute force attack on the discovered hashes fruitless. This vulnerability is fixed in 6.21.2.
Published: 2026-06-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a partial bypass of filter validation on Ghost’s public API endpoints, allowing attackers to iteratively query for disabled or private fields and expose them. When SQLite is used as the back‑end, the exposed fields include full password hashes, granting the attacker direct access to authentication data. With MySQL, the hash case is lost, reducing the usefulness of the data but still revealing the existence of passwords.

Affected Systems

TryGhost Ghost, versions from 5.46.1 up to and including 6.21.2, are affected. The fix was introduced in 6.21.2.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk level. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the exposed public API; attackers need an environment that enables sending filter queries and can perform brute‑force enumeration of fields. Successful exploitation leads to unauthorized exposure of private data, particularly password hashes, hence a confidentiality impact.

Generated by OpenCVE AI on June 24, 2026 at 19:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ghost to version 6.21.2 or later, which contains the necessary filter validation fix.
  • If an upgrade is not immediately possible, restrict or temporarily disable the public API endpoints that expose private data until the patch is deployed.
  • Audit the public API schema to remove or move sensitive fields out of publicly exposed routes and reinforce validation logic against future bypass attempts.

Generated by OpenCVE AI on June 24, 2026 at 19:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Ghost
Ghost ghost
Vendors & Products Ghost
Ghost ghost

Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be partially bypassed, making it possible to reveal private fields via a brute force attack. If SQLite was used as the database password hashes were fully accessible. If MySQL was used as the database the password hashes' case (uppercase / lowercase) would have been lost, which would likely have rendered a further brute force attack on the discovered hashes fruitless. This vulnerability is fixed in 6.21.2.
Title Ghost Content API filter bypass reveals private fields
Weaknesses CWE-200
CWE-693
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T18:55:24.041Z

Reserved: 2026-06-11T15:50:01.281Z

Link: CVE-2026-53949

cve-icon Vulnrichment

Updated: 2026-06-24T18:55:19.320Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-693

    Protection Mechanism Failure