CVE-2026-53945
Received Received - Intake
Ghost CMS DNS Rebinding Allows Internal Network Access

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks through features that issue external fetches. This vulnerability is fixed in 6.21.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53945
EUVD
EUVD-2026-39024
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ghost ghost From 6.0.9 (inc) to 6.21.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Ghost is a Node.js content management system. Between versions 6.0.9 and 6.21.1, Ghost's private-IP check for outbound HTTP requests could be bypassed using DNS rebinding. This means an attacker could trick the Ghost server into making requests to internal network hosts by exploiting features that perform external fetches. The issue was fixed in version 6.21.1.

Impact Analysis

This vulnerability allows an attacker to bypass the private-IP check and force the Ghost server to access internal network hosts. This could lead to unauthorized internal network access or information disclosure. The impact is limited to integrity loss (as per CVSS), with no direct confidentiality or availability impact.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Ghost to version 6.21.1 or later, where the DNS rebinding bypass issue in the private-IP check for outbound HTTP requests has been fixed.

Compliance Impact

The vulnerability in Ghost (CVE-2026-53945) is a server-side request forgery (SSRF) issue that allows attackers to bypass private-IP checks and access internal network hosts. This could potentially lead to unauthorized access to internal resources, which may impact the confidentiality and integrity of data.

While the primary impact is described as low integrity loss, the ability to reach internal hosts could pose risks to sensitive data or systems that are subject to compliance requirements such as GDPR or HIPAA. Organizations using affected versions of Ghost should consider this vulnerability as a potential compliance risk, especially if internal data or protected health information could be exposed or manipulated.

Mitigations such as patching to version 6.21.1, applying network-layer restrictions, and disabling certain features can reduce the attack surface and help maintain compliance with security standards.

Detection Guidance

This vulnerability involves DNS rebinding to bypass Ghost's private-IP check for outbound HTTP requests, allowing SSRF attacks. Detection can focus on monitoring outbound HTTP requests from the Ghost server to internal IP ranges (RFC1918, loopback, link-local addresses) that should normally be blocked.

Suggested detection methods include:

  • Monitor network traffic for unexpected outbound connections from the Ghost server to private IP ranges such as 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
  • Check server logs for unusual HTTP fetch requests or DNS queries that could indicate DNS rebinding attempts.
  • Use firewall or network monitoring tools to log and alert on outbound HTTP requests to internal IP addresses.

Example commands to detect suspicious outbound connections (run on the Ghost server):

  • Using netstat to list established outbound connections: sudo netstat -tnp | grep ESTABLISHED
  • Using tcpdump to capture outbound HTTP traffic to private IP ranges: sudo tcpdump -i any tcp dst port 80 and dst net 10.0.0.0/8
  • Using curl or wget to test if internal IPs are reachable from the Ghost server (as a manual check): curl http://127.0.0.1 or curl http://10.0.0.1

Additionally, applying network-layer restrictions such as egress firewall rules blocking outbound requests to private IP ranges can help mitigate and detect attempts to exploit this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53945. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart