CVE-2026-45332 | THREATINT

Description

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /_api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is complete and returns full serialized user data in the JSON response body. This vulnerability is fixed in 2.0.0-beta.28.

PUBLISHED Reserved 2026-05-11 | Published 2026-05-28 | Updated 2026-05-30 | Assigner GitHub_M

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-306: Missing Authentication for Critical Function

Product status

>= 2.0.0-alpha.1, < 2.0.0-beta.28

affected

References

github.com/...utomad/security/advisories/GHSA-xm76-r88j-vm3g exploit

github.com/...utomad/security/advisories/GHSA-xm76-r88j-vm3g

cve.org (CVE-2026-45332)

nvd.nist.gov (CVE-2026-45332)

Download JSON