CVE-2026-22594
Unknown Unknown - Not Provided

Bypass of Email 2FA in Ghost CMS Allows Unauthorized Access

Vulnerability report for CVE-2026-22594, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description

Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-07-07
AI Q&A
2026-01-10
EPSS Evaluated
2026-07-06
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
tryghost ghost From 5.105.0 (inc) to 5.130.5 (inc)
tryghost ghost From 6.0.0 (inc) to 6.10.3 (inc)
tryghost ghost 5.130.6
tryghost ghost 6.11.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in the Ghost content management system's two-factor authentication (2FA) mechanism allowed staff users to bypass the email-based 2FA process. The issue was caused by a property called `skipEmailVerification` in the session creation API, which was originally intended to allow bypassing 2FA immediately after a password reset (assuming the password reset via email verified the user). However, this property could be exploited by any user to skip 2FA without proper verification. The vulnerability was fixed by removing this insecure bypass and introducing a secure one-time password (OTP) verification system that requires a valid OTP token sent via email after a password reset to bypass 2FA legitimately. [1, 3]

Compliance Impact

The vulnerability allows staff users to bypass email-based two-factor authentication (2FA), which can lead to unauthorized access to sensitive data. This unauthorized access could compromise data confidentiality and integrity, potentially violating compliance requirements under standards like GDPR and HIPAA that mandate strong authentication controls to protect personal and sensitive information. Therefore, the vulnerability negatively impacts compliance by weakening authentication security and increasing the risk of data breaches. [2]

Impact Analysis

This vulnerability allows an attacker with low privileges to remotely bypass the two-factor authentication process for staff users without any user interaction. This can lead to unauthorized access to staff accounts, potentially compromising the confidentiality and integrity of sensitive data managed by the Ghost platform. Since 2FA is bypassed, attackers can perform actions as legitimate staff users, increasing the risk of data breaches and unauthorized modifications. [2]

Detection Guidance

You can detect this vulnerability by checking if your Ghost installation is running a vulnerable version (5.105.0 through 5.130.5 or 6.0.0 through 6.10.3). Additionally, monitoring API requests to the session creation endpoint for the presence of the `skipEmailVerification` property in requests could indicate exploitation attempts. Since the vulnerability involves bypassing 2FA via API manipulation, inspecting logs for unusual session creation requests containing `skipEmailVerification` or unexpected session creations without proper 2FA tokens can help detect exploitation. Specific commands depend on your environment, but for example, you can grep your server logs for `skipEmailVerification` usage: `grep -r skipEmailVerification /path/to/ghost/logs` or monitor network traffic for such API calls. Also, verifying the Ghost version can be done by running `ghost version` in the installation directory. [1, 3]

Mitigation Strategies

The immediate mitigation step is to upgrade Ghost to a patched version: 5.130.6 or later in the 5.x series, or 6.11.0 or later in the 6.x series. These versions remove the insecure `skipEmailVerification` property and implement a secure OTP-based verification process for 2FA bypass after password reset. Until you can upgrade, monitor and restrict API access to prevent unauthorized use of the `skipEmailVerification` property, and consider disabling staff user 2FA bypass features if possible. Applying the official patch or upgrade is the recommended and effective mitigation. [2, 1, 3]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22594. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart