CVE-2026-29784 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Ghost content management system, a popular Node.js-based platform for publishing. The flaw exists in versions 5.101.6 through 6.19.2 due to incomplete CSRF protections on the /session/verify endpoint. Specifically, the vulnerability allows attackers to misuse one-time tokens (OTCs) in login sessions that differ from the requesting session, effectively bypassing intended session validation mechanisms. This weakness can be exploited by attackers who craft malicious web requests that, when executed by authenticated users, perform unauthorized actions on their behalf without their consent. The consequence is that attackers may gain control over Ghost sites by hijacking user sessions or manipulating authentication flows, facilitating phishing campaigns or unauthorized content changes. The vulnerability has a CVSS 3.1 score of 7.5, reflecting high severity due to its network attack vector, requirement for user interaction, and potential for full confidentiality, integrity, and availability compromise. The Ghost development team addressed the issue in version 6.19.3 by implementing proper CSRF protections around the affected endpoint, closing the session token misuse vector. No public exploits have been reported yet, but the vulnerability’s nature and impact warrant urgent remediation.

The vulnerability allows attackers to perform unauthorized actions on Ghost sites by exploiting CSRF weaknesses in session verification. This can lead to account takeover, unauthorized content publishing or modification, and potential site defacement or data leakage. For organizations relying on Ghost for content management, this undermines the integrity and availability of their web presence, potentially damaging reputation and trust. Attackers could also leverage compromised sites to distribute phishing content or malware, amplifying the threat. Since the vulnerability affects session management, it can disrupt user authentication flows, causing denial of service or persistent unauthorized access. The high CVSS score indicates a significant risk, especially for sites exposed to the internet without additional protective controls. The lack of known exploits currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits given the vulnerability details.

Organizations should immediately upgrade all Ghost installations to version 6.19.3 or later, where the vulnerability is patched. Until upgrading is possible, administrators can implement additional CSRF protections such as enforcing strict SameSite cookie attributes, validating Origin and Referer headers on sensitive endpoints, and employing web application firewalls (WAFs) to detect and block suspicious CSRF attempts targeting /session/verify. Monitoring authentication logs for unusual session activity can help detect exploitation attempts. Educating users about phishing risks and avoiding clicking on suspicious links reduces the likelihood of user interaction required for exploitation. Regularly auditing and restricting administrative access to trusted networks and devices further limits exposure. Finally, maintaining up-to-date backups ensures recovery capability in case of compromise.