Skip to main content

Automad CVE-2026-45332

| EUVDEUVD-2026-32980 HIGH
Information Exposure (CWE-200)
2026-05-27 https://github.com/marcantondahmen/automad GHSA-xm76-r88j-vm3g
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 27, 2026 - 21:48 vuln.today
Analysis Generated
May 27, 2026 - 21:48 vuln.today

DescriptionGitHub Advisory

Summary

A Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /_api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is complete and returns full serialized user data in the JSON response body.

Details

Affected version:

  • bcrypt hash exposure: >= 2.0.0-alpha.1, <= 2.0.0-beta.27
  • TOTP secret exposure: only 2.0.0-beta.27

Impact

Any Automad installation reachable over HTTP is at risk no prior account, credentials, or special network position are required to exploit this vulnerability.

Potential impacts include:

  • Credential hash exposure enabling offline brute-force or dictionary attacks:

bcrypt password hashes for every administrator are returned in a single unauthenticated response. While hashes are not plaintext passwords, the salt embedded in the hash is not secret it is visible in the response. Administrators using common or weak passwords are at direct risk of having their plaintext password recovered.

  • TOTP secret exposure:

The TOTP secret is included in the response starting with version 2.0.0-beta.27, the first release introducing TOTP-based two-factor authentication. If an attacker successfully recovers a plaintext password, two-factor authentication can be bypassed entirely. *Only version 2.0.0-beta.27 is affected by this specific issue.*

  • Information disclosure:

The response discloses the absolute filesystem path to the configuration directory. While the directory structure is publicly documented, the absolute server path may expose environment-specific information.

Remediation

Update to version 2.0.0-beta.28 or later.

This issue was reported privately and fixed prior to public disclosure.

AnalysisAI

Unauthenticated information disclosure in Automad CMS (Composer package automad/automad) versions 2.0.0-alpha.1 through 2.0.0-beta.27 lets any remote attacker retrieve the bcrypt password hash of every administrator account through a single POST request to the setup endpoint. The /_api/user-collection/create-first-user endpoint stays publicly reachable after initial configuration and returns fully serialized user records, and in 2.0.0-beta.27 it additionally leaks TOTP two-factor secrets. There is no public exploit identified at time of analysis, but exploitation is trivial (network, no authentication, no user interaction) and the issue was fixed in 2.0.0-beta.28.

Technical ContextAI

Automad is a flat-file (file-based, no database) PHP content management system distributed via Composer as automad/automad, identified by CPE pkg:composer/automad_automad. The flaw is a Broken Access Control / sensitive information exposure issue classed as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The root cause is that the first-run provisioning route /_api/user-collection/create-first-user - intended only to bootstrap the initial admin during install - is never disabled or access-gated after setup completes, and its handler echoes the full serialized user collection in the JSON response. That serialized data includes each admin's bcrypt password hash (which embeds the non-secret per-user salt) and, in the build that introduced TOTP-based 2FA (2.0.0-beta.27), the TOTP shared secret, plus the absolute filesystem path to the configuration directory.

RemediationAI

Vendor-released patch: 2.0.0-beta.28 - update the automad/automad Composer package to 2.0.0-beta.28 or later (for example via composer update automad/automad) as the primary and complete fix, per advisory GHSA-xm76-r88j-vm3g (https://github.com/marcantondahmen/automad/security/advisories/GHSA-xm76-r88j-vm3g). Because exploitation requires no authentication, treat administrator credentials as compromised after patching: force a password reset for every admin account and, for installs that ran 2.0.0-beta.27, regenerate (re-enroll) all TOTP 2FA secrets, since exposed hashes and TOTP secrets remain usable until rotated. If immediate patching is not possible, block or deny external access to the /_api/user-collection/create-first-user path at the web server or reverse proxy (for example a location/rule returning 403), accepting that this also blocks legitimate first-user setup on a fresh install; restricting the entire /_api surface to trusted source IPs is a stronger stopgap but will break the admin panel for users outside that range.

Share

CVE-2026-45332 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy