{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22594", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T21:50:39.532Z", "datePublished": "2026-01-10T02:56:47.226Z", "dateUpdated": "2026-01-12T17:53:57.181Z"}, "containers": {"cna": {"title": "Ghost has Staff 2FA bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-5fp7-g646-ccf4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-5fp7-g646-ccf4"}, {"name": "https://github.com/TryGhost/Ghost/commit/b59f707f670e6f175b669977724ccf16c718430b", "tags": ["x_refsource_MISC"], "url": "https://github.com/TryGhost/Ghost/commit/b59f707f670e6f175b669977724ccf16c718430b"}, {"name": "https://github.com/TryGhost/Ghost/commit/fc7bc2fb0888513498154ec5cb4b21eccb88de07", "tags": ["x_refsource_MISC"], "url": "https://github.com/TryGhost/Ghost/commit/fc7bc2fb0888513498154ec5cb4b21eccb88de07"}], "affected": [{"vendor": "TryGhost", "product": "Ghost", "versions": [{"version": ">= 6.0.0, < 6.11.0", "status": "affected"}, {"version": ">= 5.105.0, < 5.130.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T02:56:47.226Z"}, "descriptions": [{"lang": "en", "value": "Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0."}], "source": {"advisory": "GHSA-5fp7-g646-ccf4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T17:53:47.818587Z", "id": "CVE-2026-22594", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T17:53:57.181Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22594", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-12T17:53:47.818587Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T17:53:51.563Z"}}], "cna": {"title": "Ghost has Staff 2FA bypass", "source": {"advisory": "GHSA-5fp7-g646-ccf4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "TryGhost", "product": "Ghost", "versions": [{"status": "affected", "version": ">= 6.0.0, < 6.11.0"}, {"status": "affected", "version": ">= 5.105.0, < 5.130.6"}]}], "references": [{"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-5fp7-g646-ccf4", "name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-5fp7-g646-ccf4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/TryGhost/Ghost/commit/b59f707f670e6f175b669977724ccf16c718430b", "name": "https://github.com/TryGhost/Ghost/commit/b59f707f670e6f175b669977724ccf16c718430b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/TryGhost/Ghost/commit/fc7bc2fb0888513498154ec5cb4b21eccb88de07", "name": "https://github.com/TryGhost/Ghost/commit/fc7bc2fb0888513498154ec5cb4b21eccb88de07", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T02:56:47.226Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22594", "state": "PUBLISHED", "dateUpdated": "2026-01-12T17:53:57.181Z", "dateReserved": "2026-01-07T21:50:39.532Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-10T02:56:47.226Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D77531A4-EAE2-4A4E-96C6-B711107B6AC3", "versionEndExcluding": "5.130.6", "versionStartIncluding": "5.105.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "9EC484AC-A1F0-4C13-BFAB-9DA57116957D", "versionEndExcluding": "6.11.0", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0."}], "id": "CVE-2026-22594", "lastModified": "2026-01-15T18:12:10.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-10T03:15:50.400", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/TryGhost/Ghost/commit/b59f707f670e6f175b669977724ccf16c718430b"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/TryGhost/Ghost/commit/fc7bc2fb0888513498154ec5cb4b21eccb88de07"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-5fp7-g646-ccf4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:14:25.353092+00:00", "value": {"mitigation_remediation": ["Upgrade Ghost to version 5.130.6 or later 6.11.0 to receive the 2FA fix.", "Temporarily disable all staff accounts or dh new 2FA\u2011protected accounts until the patch is applied, preventing unauthenticated staff logins.", "After applying the patch, re\u2011enable 2FA for staff, review audit logs for suspicious logins, and tighten staff access controls."], "summary": {"action": "Immediate Patch", "impact": "2FA bypass enabling staff login without email verification"}, "threat_synthesis": {"affected_systems": "The vulnerability affects TryGhost\u2019s Ghost CMS. Affected releases include versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3. Patching to 5.130.6 or higher, or 6.11.0 or higher, removes the flaw.", "description_and_impact": "Ghost, a Node.js content management system, suffers from a flaw in its two\u2011factor authentication mechanism that lets staff users bypass the required email verification. This is an improper authentication vulnerability (CWE\u2011287) that could allow an attacker to gain staff\u2011level access without a second factor, compromising the confidentiality, integrity, and availability of the system.", "risk_and_exploitability": "The CVSS score is 8.1, indicating a high severity flaw. The EPSS score is below 1\u202f%, suggesting a low current exploitation probability, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is remote via the web interface, where an attacker possessing a staff account or credentials can skip the 2FA step to gain elevated privileges. Because no additional exploit conditions are noted, the risk is primarily moderated by the need for pre\u2011existing staff credentials or the ability to compromise them first."}}}}, "created": "2026-01-12T14:36:47.193128+00:00", "updated": "2026-04-18T07:15:25.862026+00:00", "vendors": ["ghost", "ghost$PRODUCT$ghost"]}