GHSA-9M84-WC28-W895: GHSA-9m84-wc28-w895: Incomplete CSRF Protection and Weak OTC Binding in Ghost

#security #cve #cybersecurity #ghsa

GHSA-9m84-wc28-w895: Incomplete CSRF Protection and Weak OTC Binding in Ghost

Vulnerability ID: GHSA-9M84-WC28-W895
CVSS Score: High
Published: 2026-03-05

Ghost, a popular open-source publishing platform, contains critical vulnerabilities in its authentication mechanisms affecting versions prior to 5.105.0. The platform failed to cryptographically bind One-Time Codes (OTCs) to the initiating browser session and implemented insufficient Cross-Site Request Forgery (CSRF) protections on sensitive endpoints. These architectural flaws allow attackers to potentially bypass authentication challenges or hijack administrator accounts by leveraging cross-origin requests and reusing valid OTCs across different sessions.

TL;DR

Ghost < 5.105.0 fails to bind One-Time Codes (OTCs) to specific sessions and lacks strict CSRF origin validation. Attackers can exploit this to bypass authentication challenges or hijack administrator accounts via malicious cross-origin requests.

⚠️ Exploit Status: POC

Technical Details

Vulnerability Type: CSRF & Session Fixation
CWE ID: CWE-352, CWE-613
Attack Vector: Network (Web)
Severity: High
Exploit Status: Proof of Concept (Internal)
Component: core/server/services/auth

Affected Systems

Ghost CMS (npm package 'ghost')
Ghost: < 5.105.0 (Fixed in: 5.105.0)

Code Analysis

Commit: ec065a7

Fixed CSRF protection and OTC session binding

Mitigation Strategies

Upgrade Ghost to version 5.105.0 or later.
Ensure admin_url is explicitly configured in config.production.json to enable correct origin validation.
Review server logs for 400 BadRequestError on authentication endpoints, which may indicate failed CSRF attempts.

Remediation Steps: