CVE-2026-53949: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in TryGhost Ghost
Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be partially bypassed, making it possible to reveal private fields via a brute force attack. If SQLite was used as the database password hashes were fully accessible. If MySQL was used as the database the password hashes' case (uppercase / lowercase) would have been lost, which would likely have rendered a further brute force attack on the discovered hashes fruitless. This vulnerability is fixed in 6.21.2.
AI Analysis
Technical Summary
TryGhost Ghost CMS versions >=5.46.1 and <6.21.2 have a vulnerability where validation on filters in public API endpoints can be partially bypassed. This allows an attacker to enumerate private fields via brute force. If the backend database is SQLite, password hashes can be fully accessed. If MySQL is used, the password hashes lose case sensitivity, reducing the likelihood of successful brute force attacks on those hashes. The vulnerability is identified as CWE-200 (Exposure of Sensitive Information) and CWE-693 (Protection Mechanism Failure). The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity). The issue is resolved in version 6.21.2.
Potential Impact
Sensitive information, including password hashes, can be exposed to unauthorized actors through the public API due to insufficient validation. This exposure could allow attackers to attempt brute force attacks on password hashes, especially when SQLite is used. The loss of case sensitivity in MySQL password hashes likely reduces the risk of successful brute forcing in that scenario. There is no indication of integrity or availability impact.
Mitigation Recommendations
Upgrade TryGhost Ghost CMS to version 6.21.2 or later, where this vulnerability is fixed. Patch status is confirmed by the vendor stating the fix is in 6.21.2. No other mitigations are indicated.
CVE-2026-53949: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in TryGhost Ghost
Description
Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be partially bypassed, making it possible to reveal private fields via a brute force attack. If SQLite was used as the database password hashes were fully accessible. If MySQL was used as the database the password hashes' case (uppercase / lowercase) would have been lost, which would likely have rendered a further brute force attack on the discovered hashes fruitless. This vulnerability is fixed in 6.21.2.
CVSS v3.1
Score 5.3medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
TryGhost Ghost CMS versions >=5.46.1 and <6.21.2 have a vulnerability where validation on filters in public API endpoints can be partially bypassed. This allows an attacker to enumerate private fields via brute force. If the backend database is SQLite, password hashes can be fully accessed. If MySQL is used, the password hashes lose case sensitivity, reducing the likelihood of successful brute force attacks on those hashes. The vulnerability is identified as CWE-200 (Exposure of Sensitive Information) and CWE-693 (Protection Mechanism Failure). The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity). The issue is resolved in version 6.21.2.
Potential Impact
Sensitive information, including password hashes, can be exposed to unauthorized actors through the public API due to insufficient validation. This exposure could allow attackers to attempt brute force attacks on password hashes, especially when SQLite is used. The loss of case sensitivity in MySQL password hashes likely reduces the risk of successful brute forcing in that scenario. There is no indication of integrity or availability impact.
Mitigation Recommendations
Upgrade TryGhost Ghost CMS to version 6.21.2 or later, where this vulnerability is fixed. Patch status is confirmed by the vendor stating the fix is in 6.21.2. No other mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-11T15:50:01.281Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3c2387748d17fc4ff2f772
Added to database: 06/24/2026, 18:35:51 UTC
Last enriched: 06/24/2026, 18:50:49 UTC
Last updated: 06/24/2026, 19:56:53 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.