Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token a…
Published:
9 January 2026 at 23:00:00
Alert date:
10 January 2026 at 13:10:58
Source:
nvd.nist.gov
A vulnerability in Ghost Node.js content management system affected versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3. The flaw in Staff Token authentication handling allowed unauthorized access to endpoints that should only be accessible via Staff Session authentication. External systems authenticated with Staff Tokens for Admin/Owner-role users could access restricted endpoints. The issue has been patched in versions 5.130.6 and 6.11.0.
Technical details
Mitigation steps:
Affected products:
Ghost CMS
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-22595
https://github.com/TryGhost/Ghost/commit/9513d2a35c21067127ce8192443d8919ddcefcc8
https://github.com/TryGhost/Ghost/commit/c3017f81a5387b253a7b8c1ba1959d430ee536a3
https://github.com/TryGhost/Ghost/security/advisories/GHSA-9xg7-mwmp-xmjx
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.