8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-22595

CVE-2026-22595: Ghost has Staff Token permission bypass

Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. External systems that have been authenticated via Staff Tokens for Admin/Owner-role users would have had access to these endpoints. This issue has been patched in versions 5.130.6 and 6.11.0.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-22595

CVE-2026-22595:

8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ghost	npm	>= 6.0.0, <= 6.10.3	6.11.0
ghost	npm	>= 5.105.0, <= 5.130.5	5.130.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in a middleware function within Ghost's admin API that is responsible for checking permissions for staff tokens. The analysis of the provided patches (commits 9513d2a35c21067127ce8192443d8919ddcefcc8 and c3017f81a5387b253a7b8c1ba1959d430ee536a3) reveals that the core issue was an improper URL path comparison. The vulnerable code only checked for paths with a trailing slash (e.g., /db/ and /users/owner/) when blocking sensitive operations for staff tokens. An attacker could simply make a request to the same path without the trailing slash (e.g., /db) to bypass this security check. This would grant unauthorized access to critical functionality such as deleting all content or transferring ownership of the site. The patches fix this by explicitly checking for the path both with and without the trailing slash. The vulnerable function is identified as tokenPermissionCheck in one version and notImplemented in another, both located in ghost/core/core/server/web/api/endpoints/admin/middleware.js. Both function names are included as they represent the vulnerable logic in different versions of the codebase.

Vulnerable functions

tokenPermissionCheck

ghost/core/core/server/web/api/endpoints/admin/middleware.js

This function, which acts as a middleware for the admin API, contained a vulnerability where it only checked for protected paths with a trailing slash (e.g., '/db/'). This allowed attackers to bypass the permission check by sending requests to the same endpoints without the trailing slash (e.g., '/db'), leading to unauthorized access to sensitive operations like deleting all content or transferring ownership.

notImplemented

ghost/core/core/server/web/api/endpoints/admin/middleware.js

This function, which appears to be an earlier version of `tokenPermissionCheck`, has the same vulnerability. It fails to properly check for paths without a trailing slash, allowing for a bypass of staff token permissions. The vulnerability is the same, but the function name differs between versions.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-22595: Ghost has Staff Token permission bypass

CVE-2026-22595:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

8.1

8.1

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2026-22595: Ghost has Staff Token permission bypass

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI