Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unaut…

Automad content management system versions 2.0.0-alpha.1 to 2.0.0-beta.27 contain a Broken Access Control vulnerability. The flaw allows unauthenticated attackers to retrieve bcrypt password hashes of all administrator accounts through a single POST request. The vulnerable endpoint /_api/user-collection/create-first-user remains publicly accessible after initial setup and returns full user data in JSON responses. This represents a critical security flaw that could lead to credential compromise. The vulnerability has been patched in version 2.0.0-beta.28.