CVE-2026-22595
Authentication Bypass in Ghost CMS Staff Token Allows Unauthorized Access
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tryghost | ghost | From 5.121.0 (inc) to 5.130.5 (inc) |
| tryghost | ghost | From 6.0.0 (inc) to 6.10.3 (inc) |
| tryghost | ghost | 5.130.6 |
| tryghost | ghost | 6.11.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22595 is an authorization bypass vulnerability in the Ghost content management system related to how Staff Token authentication is handled. The issue was caused by inconsistent handling of trailing slashes in URL path checks for sensitive API endpoints. Specifically, the system only blocked requests with trailing slashes (e.g., /db/ and /users/owner/), but the Express.js routing framework treats paths with and without trailing slashes equivalently. This allowed staff tokens, which have limited permissions, to bypass security checks by omitting the trailing slash and access endpoints that should only be accessible via Staff Session authentication. As a result, unauthorized destructive actions such as deleting all site content or transferring site ownership could be performed. The vulnerability was fixed by updating the authorization logic to block both trailing slash and non-trailing slash variants of these endpoints. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with a Staff Token (associated with Admin or Owner roles) to perform unauthorized destructive actions on a Ghost site. Specifically, they could delete all site content using the DELETE /db endpoint or transfer site ownership using the PUT /users/owner endpoint. These actions compromise the integrity and availability of the site, potentially causing significant data loss and unauthorized control over the site. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized requests to sensitive endpoints that should be restricted for staff tokens, specifically requests to the paths `/db` or `/db/` with the DELETE method, and `/users/owner` or `/users/owner/` with the PUT method. To detect exploitation attempts, you can inspect your web server or application logs for such HTTP requests made using staff tokens. For example, you can use commands like `grep` on your access logs to find suspicious requests: `grep -E 'DELETE /db/? ' access.log` and `grep -E 'PUT /users/owner/? ' access.log`. Additionally, capturing and analyzing raw HTTP requests that bypass URL normalization can help identify attempts to exploit the trailing slash mismatch. Monitoring for HTTP 403 Forbidden responses to these endpoints when accessed with staff tokens can also indicate if the fix is effective or if attempts are ongoing. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Ghost platform to a patched version where this vulnerability is fixed. Specifically, upgrade to version 5.130.6 or later in the 5.x series, or 6.11.0 or later in the 6.x series. These versions include the fix that properly blocks staff tokens from accessing sensitive endpoints regardless of trailing slash presence. Until the upgrade is applied, restrict or monitor staff token usage carefully, especially for Admin/Owner roles, and consider implementing additional access controls or network-level restrictions to prevent unauthorized API calls to the `/db` and `/users/owner` endpoints. [3]