CVE-2026-53947 Overview
CVE-2026-53947 is an information disclosure vulnerability in Ghost, a Node.js content management system. Versions from 5.18.0 until 6.21.1 return discrepant responses from the members signin endpoints. An unauthenticated remote attacker can use this behavior to determine whether a given email address corresponds to a registered member of a Ghost site. The issue is classified under [CWE-204] (Observable Response Discrepancy) and resolved in Ghost 6.21.1.
Critical Impact
Unauthenticated attackers can enumerate valid member email addresses on any vulnerable Ghost site by observing differences in signin endpoint responses.
Affected Products
- Ghost (TryGhost) versions 5.18.0 through 6.21.0
- Self-hosted Ghost deployments exposing the members signin endpoints
- Ghost(Pro) instances on affected releases prior to vendor patching
Discovery Timeline
- 2026-06-24 - CVE-2026-53947 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-53947
Vulnerability Analysis
The vulnerability resides in Ghost's members signin endpoints. These endpoints respond differently depending on whether the supplied email address belongs to a registered member. An attacker submits candidate email addresses and observes the response to classify each address as valid or invalid. This pattern matches [CWE-204], an observable response discrepancy that leaks information about back-end state. The disclosed data is limited to membership status, so confidentiality is partially impacted while integrity and availability are not affected.
Root Cause
The signin handlers in affected Ghost versions failed to return uniform responses for known and unknown email addresses. Differences in response body content, status codes, or timing allow an external observer to distinguish between the two cases. A correctly implemented signin flow returns the same generic response regardless of whether the email exists in the members database.
Attack Vector
The attack is performed over the network without authentication or user interaction. An attacker scripts HTTP requests against the public Ghost members signin endpoint with a list of candidate email addresses. By comparing responses, the attacker compiles a list of valid member emails. These addresses can then feed targeted phishing campaigns, credential stuffing attempts against other services, or reconnaissance for further attacks against the Ghost site operator.
No verified exploit code is published. The vulnerability mechanism is described in the Ghost GitHub Security Advisory GHSA-chgm-3698-jm42.
Detection Methods for CVE-2026-53947
Indicators of Compromise
- High-volume sequential POST requests to the /members/api/send-magic-link/ or related signin endpoints from a single source IP.
- Requests submitting many distinct email addresses with low repetition over short intervals.
- Source IPs originating from hosting providers, anonymizing proxies, or known scanning infrastructure.
Detection Strategies
- Inspect web server and reverse-proxy access logs for elevated request rates against members signin paths.
- Correlate request bodies or query parameters across sessions to identify enumeration patterns rather than legitimate signin attempts.
- Apply rate-based rules in a WAF to flag clients submitting more than a small number of distinct emails per minute.
Monitoring Recommendations
- Forward Ghost application and Nginx access logs to a centralized log platform for retention and search.
- Alert when a single IP or user agent generates a high ratio of unique email submissions to successful signins.
- Track baseline signin volumes per site and trigger alerts on statistical deviations.
How to Mitigate CVE-2026-53947
Immediate Actions Required
- Upgrade Ghost to version 6.21.1 or later on all self-hosted instances.
- Verify Ghost(Pro) deployments are running a patched release supplied by the vendor.
- Deploy WAF or reverse-proxy rate limiting on members signin endpoints until the upgrade is complete.
Patch Information
The vendor fixed the vulnerability in Ghost 6.21.1. The patch normalizes responses from the members signin endpoints so identical output is returned regardless of whether the supplied email is registered. Patch details and the security advisory are available at GHSA-chgm-3698-jm42.
Workarounds
- Enforce strict rate limiting per source IP on /members/ signin endpoints at the reverse proxy or WAF layer.
- Place CAPTCHA or bot mitigation in front of the members signin flow to slow automated enumeration.
- Restrict members signin endpoints to expected geographies or authenticated reverse-proxy paths where business requirements allow.
# Configuration example: Nginx rate limit for Ghost members signin endpoints
http {
limit_req_zone $binary_remote_addr zone=ghost_signin:10m rate=5r/m;
server {
location ~ ^/members/api/(send-magic-link|signin) {
limit_req zone=ghost_signin burst=3 nodelay;
proxy_pass http://ghost_upstream;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

