CVE-2026-53944
Deferred Deferred - Pending Action

Ghost CMS IPv6 Bypass Allows Internal Service Access

Vulnerability report for CVE-2026-53944, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in 6.21.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ghost ghost to 6.21.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how the vulnerability CVE-2026-53944 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability affects the Ghost content management system versions from 6.0.9 up to 6.21.1. It allows an attacker to bypass the IP filter that is designed to prevent external requests from reaching internal services. The bypass is possible by using an IPv6 literal address that maps to a private IPv4 address, effectively circumventing the intended IP filtering mechanism.

Impact Analysis

The vulnerability can lead to unauthorized access to internal services by bypassing IP filtering controls. This could allow an attacker to send requests to internal services that should be protected, potentially leading to information disclosure or manipulation of internal resources.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Ghost to version 6.21.1 or later, where the issue has been fixed.

Detection Guidance

This vulnerability involves bypassing IP filters by using IPv6 literals that map to private IPv4 addresses in server-side requests made by the Ghost CMS. Detection involves monitoring outgoing requests from the Ghost server to internal services, especially those using IPv6 literals that correspond to private IPv4 ranges.

To detect exploitation attempts or presence of this vulnerability, you can:

  • Inspect network traffic from the Ghost server for unusual outbound requests to internal IP addresses using IPv6 literals.
  • Check application logs for external requests that include IPv6 literals mapping to private IPv4 addresses.
  • Use network monitoring tools like tcpdump or Wireshark to capture and analyze outgoing requests from the Ghost server.
  • Example tcpdump command to capture outgoing HTTP requests from the Ghost server:
  • sudo tcpdump -i <interface> -nn host <ghost_server_ip> and tcp port 80 or 443
  • Search logs or captured traffic for IPv6 addresses in the format ::ffff:<private IPv4> which indicates IPv6 literals mapping to private IPv4 addresses.

Additionally, verifying the Ghost version installed and ensuring it is updated to 6.21.1 or later will prevent this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53944. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart