CVE-2026-29784
📋 TL;DR
Ghost CMS versions 5.101.6 through 6.19.2 have incomplete CSRF protections in the session verification endpoint, allowing attackers to use one-time codes across different login sessions. This could enable phishing attacks to compromise Ghost site administrator accounts. All Ghost installations using affected versions are vulnerable.
💻 Affected Systems
- Ghost CMS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack administrator sessions, gain full control of the Ghost site, modify content, install malicious themes/plugins, and potentially access underlying server resources.
Likely Case
Phishing campaigns could trick administrators into using OTCs that attackers then leverage to hijack sessions and gain unauthorized access to the admin panel.
If Mitigated
With proper network segmentation and admin access restrictions, impact would be limited to the Ghost application itself without lateral movement.
🎯 Exploit Status
Exploitation requires social engineering to trick users into performing actions with OTCs. No public exploit code available but advisory provides technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.19.3
Vendor Advisory: https://github.com/TryGhost/Ghost/security/advisories/GHSA-9m84-wc28-w895
Restart Required: Yes
Instructions:
1. Backup your Ghost installation and database. 2. Update Ghost using npm: 'npm update ghost'. 3. Restart the Ghost service: 'ghost restart'. 4. Verify version is 6.19.3 or higher.
🔧 Temporary Workarounds
Restrict Admin Access
linuxLimit admin panel access to specific IP addresses or VPN-only connections
Use firewall rules: iptables -A INPUT -p tcp --dport 2368 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 2368 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to admin interface
- Enable multi-factor authentication for all admin accounts and monitor for suspicious login attempts
🔍 How to Verify
Check if Vulnerable:
Check Ghost version in admin panel Settings → About, or run: ghost versionCheck Version:
ghost versionVerify Fix Applied:
Confirm version is 6.19.3 or higher using ghost version command📡 Detection & Monitoring
Log Indicators:
- Multiple failed session verification attempts
- OTC usage from unusual IP addresses
- Admin logins from unexpected locations
Network Indicators:
- Unusual traffic patterns to /session/verify endpoint
- CSRF token mismatches in logs
SIEM Query:
source="ghost.log" AND ("session/verify" OR "CSRF") AND (status=200 OR status=403)