Improper access control in Ghost - #VU128201
Published: September 23, 2021 / Updated: April 27, 2026
Vulnerability identifier: #VU128201
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Ghost
Ghost
Software vendor:
Ghost
Ghost
Description
The vulnerability allows a remote attacker to take over arbitrary member accounts.
The vulnerability exists due to improper access control in the member email change functionality when handling crafted requests to the relevant API endpoint. A remote attacker can change a member account email address to one they control and validate the new address via a magic link to take over arbitrary member accounts.
Only instances with members functionality enabled are vulnerable.
Remediation
Install security update from vendor's website.