CVE-2026-22595: Ghost CMS Auth Bypass Vulnerability

CVE-2026-22595 Overview

CVE-2026-22595 is an authorization bypass vulnerability in Ghost, a popular Node.js content management system. The vulnerability exists in Ghost's handling of Staff Token authentication, where a trailing slash mismatch in endpoint validation allowed Staff Tokens to access endpoints that were only intended to be accessible via Staff Session authentication. This flaw could allow external systems authenticated via Staff Tokens for Admin/Owner-role users to access restricted administrative endpoints, including database deletion and ownership transfer functions.

Critical Impact

Attackers with Staff Token access for Admin/Owner roles could bypass authorization controls to delete all site content or transfer site ownership by exploiting inconsistent path matching in the authentication middleware.

Affected Products

• Ghost versions 5.121.0 through 5.130.5
• Ghost versions 6.0.0 through 6.10.3

Discovery Timeline

• 2026-01-10 - CVE CVE-2026-22595 published to NVD
• 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2026-22595

Vulnerability Analysis

This vulnerability is classified under CWE-863 (Incorrect Authorization). The flaw exists in Ghost's admin middleware responsible for restricting Staff Token access to sensitive endpoints. The authorization logic checked for specific paths with trailing slashes (e.g., /db/ and /users/owner/), but Express.js routes accept both trailing-slash and non-trailing-slash variations of URLs. This inconsistency meant that requests to /db or /users/owner (without trailing slashes) would bypass the Staff Token restrictions while still being routed to the same endpoint handlers.

The vulnerability is exploitable over the network and requires low privileges (a valid Staff Token with Admin or Owner role), but no user interaction is needed to exploit it.

Root Cause

The root cause is improper path matching in the authorization middleware. The original code only checked for paths with trailing slashes when determining if a Staff Token was attempting to access blocked endpoints. Since Express.js normalizes routes and accepts both /db/ and /db as equivalent paths, attackers could bypass the authorization check simply by omitting the trailing slash from their requests.

Attack Vector

An attacker with a Staff Token associated with an Admin or Owner role could craft HTTP requests to restricted endpoints without trailing slashes. For example:

• DELETE /db instead of DELETE /db/ to delete all site content
• PUT /users/owner instead of PUT /users/owner/ to transfer site ownership

These requests would pass the Staff Token authorization checks while still reaching the intended (and dangerous) endpoint handlers.

// Vulnerable code - only checked trailing slash paths
// Source: https://github.com/TryGhost/Ghost/commit/9513d2a35c21067127ce8192443d8919ddcefcc8
    // Staff tokens have a user_id associated with them, integration tokens don't
    if (req.api_key?.get('user_id')) {
        // Check if staff token is trying to access blocked endpoints
-        const isDeleteAllContent = req.method === 'DELETE' && req.path === '/db/';
-        const isTransferOwnership = req.method === 'PUT' && req.path === '/users/owner/';
+        // Match both with and without trailing slash since Express routes accept both
+        const isDeleteAllContent = req.method === 'DELETE' && (req.path === '/db/' || req.path === '/db');
+        const isTransferOwnership = req.method === 'PUT' && (req.path === '/users/owner/' || req.path === '/users/owner');

        if (isDeleteAllContent || isTransferOwnership) {
            return next(new errors.NoPermissionError({

Detection Methods for CVE-2026-22595

Indicators of Compromise

• Unexpected DELETE requests to /ghost/api/admin/db or /ghost/api/admin/db/ endpoints
• Unusual PUT requests to /ghost/api/admin/users/owner or /ghost/api/admin/users/owner/ endpoints
• Staff Token authentication (API key with associated user_id) being used to access these restricted endpoints
• Sudden loss of site content or unexpected ownership changes in Ghost instances

Detection Strategies

• Monitor web server access logs for DELETE requests targeting /db or /db/ paths in the Ghost admin API
• Alert on PUT requests to /users/owner paths, especially when authenticated via API tokens rather than session cookies
• Implement web application firewall rules to flag requests to sensitive Ghost admin endpoints that bypass normal session authentication
• Review Ghost audit logs for database deletion or ownership transfer actions performed via Staff Tokens

Monitoring Recommendations

• Enable verbose logging for Ghost admin API endpoints to capture authentication method used (Staff Token vs Session)
• Set up alerts for any successful requests to /ghost/api/admin/db and /ghost/api/admin/users/owner paths regardless of trailing slash
• Monitor for patterns of API requests with subtle URL variations targeting the same endpoints
• Periodically audit active Staff Tokens and their associated permissions to identify over-privileged tokens

How to Mitigate CVE-2026-22595

Immediate Actions Required

• Upgrade Ghost to version 5.130.6 or 6.11.0 immediately
• Audit existing Staff Tokens and revoke any that are not actively needed
• Review Ghost access logs for any suspicious activity targeting /db or /users/owner endpoints
• Temporarily disable Staff Token access if immediate patching is not possible

Patch Information

Ghost has released patched versions that address this vulnerability. The fix ensures that both trailing-slash and non-trailing-slash variations of restricted paths are blocked for Staff Token authentication:

• Version 5.130.6 - Patched for 5.x branch users (Commit 9513d2a)
• Version 6.11.0 - Patched for 6.x branch users (Commit c3017f8)

For full details, see the GitHub Security Advisory GHSA-9xg7-mwmp-xmjx.

Workarounds

• Revoke all Staff Tokens for Admin and Owner role users until patching is complete
• Implement network-level restrictions to block external access to the Ghost Admin API
• Use a reverse proxy or WAF to block DELETE requests to paths containing /db and PUT requests to paths containing /users/owner
• Restrict Staff Token usage to only necessary integrations and prefer Session-based authentication for administrative tasks

# Example: Block vulnerable endpoints at nginx reverse proxy level
location ~ ^/ghost/api/(v[0-9]+/)?admin/db/?$ {
    if ($request_method = DELETE) {
        return 403;
    }
}

location ~ ^/ghost/api/(v[0-9]+/)?admin/users/owner/?$ {
    if ($request_method = PUT) {
        return 403;
    }
}