CVE-2026-53949
Received Received - Intake
Brute Force Bypass Exposes Ghost CMS Password Hashes

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be partially bypassed, making it possible to reveal private fields via a brute force attack. If SQLite was used as the database password hashes were fully accessible. If MySQL was used as the database the password hashes' case (uppercase / lowercase) would have been lost, which would likely have rendered a further brute force attack on the discovered hashes fruitless. This vulnerability is fixed in 6.21.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53949
EUVD
EUVD-2026-39020
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ghost ghost From 5.46.1 (inc) to 6.21.2 (inc)
ghost ghost 6.21.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Ghost Node.js content management system versions from 5.46.1 until 6.21.2. The issue is that the validation applied to filters on the public API endpoints could be partially bypassed. This bypass allows an attacker to reveal private fields through a brute force attack.

If the system uses SQLite as the database, password hashes are fully accessible. If MySQL is used, the password hashes lose their case sensitivity (uppercase/lowercase), which likely makes further brute force attacks on those hashes ineffective.

The vulnerability was fixed in version 6.21.2.

Compliance Impact

The vulnerability in Ghost's Content API allows unauthorized access to private fields, including password hashes, which constitutes exposure of sensitive information.

Such exposure of sensitive personal data could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.

Organizations using affected versions of Ghost without applying the patch or mitigations may risk non-compliance due to this data exposure vulnerability.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing requests to the Ghost Content API endpoints for unusual or brute force attempts to access private fields such as password hashes or email addresses.

A practical approach is to inspect logs or network traffic for repeated requests with filter parameters targeting sensitive fields.

Suggested commands include using tools like curl or wget to simulate requests, or using grep and other log analysis commands to detect suspicious access patterns.

  • Use curl to test API endpoints for filter bypass attempts, e.g.: curl -X GET 'https://your-ghost-site.com/ghost/api/content/posts/?filter=password:exists'
  • Search server logs for repeated requests containing sensitive filter parameters: grep -i 'filter=password' /var/log/ghost/access.log
  • Use network monitoring tools like tcpdump or Wireshark to capture and analyze traffic to the Ghost Content API endpoints.

Additionally, implementing WAF or reverse proxy rules to block or alert on requests containing sensitive filters can help detect exploitation attempts.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of private fields via the public API, which may include sensitive information such as password hashes.

If SQLite is used, attackers can fully access password hashes, potentially enabling them to crack user passwords through brute force.

If MySQL is used, the password hashes lose case sensitivity, which likely reduces the effectiveness of brute force attacks on those hashes.

Overall, this could compromise user account security and privacy.

Mitigation Strategies

The vulnerability is fixed in Ghost version 6.21.2. The immediate step to mitigate this vulnerability is to upgrade your Ghost installation to version 6.21.2 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53949. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart