HIGHCVE-2026-29784CVSS 7.5

CVE-2026-29784: CSRF in Ghost CMS

Q: What is CVE-2026-29784 — CSRF in Ghost CMS?

CVE-2026-29784 is a Cross-Site Request Forgery vulnerability in Ghost CMS versions 5.101.6 to 6.19.2, allowing attackers to potentially take over login sessions.

Q: Am I affected by CVE-2026-29784 in Ghost CMS?

You are affected if you are running Ghost CMS versions 5.101.6 through 6.19.2. Upgrade to 6.19.3 or later to resolve the issue.

Q: How do I fix CVE-2026-29784 in Ghost CMS?

Upgrade Ghost CMS to version 6.19.3 or later. For Docker users, update the Ghost Docker image. Consider implementing stricter CSP headers as a temporary measure.

Q: Is CVE-2026-29784 being actively exploited?

There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.

Q: Where can I find the official Ghost advisory for CVE-2026-29784?

Refer to the official Ghost blog and security advisories for the latest information: https://ghost.org/security/

Platform

nodejs

Component

ghost

Fixed in

5.101.7

6.19.3

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-29784 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Ghost CMS. This flaw allows attackers to potentially exploit login sessions, increasing the risk of unauthorized access and site takeover. The vulnerability impacts versions 5.101.6 through 6.19.2 and has been resolved in version 6.19.3.

Impact and Attack Scenarios

The vulnerability lies in incomplete CSRF protections surrounding the /session/verify endpoint. An attacker could craft malicious requests that, if successful, would allow them to use One-Time Codes (OTCs) within login sessions different from the one being actively used by a legitimate user. This significantly lowers the barrier for phishing attacks, as an attacker could potentially trick a user into unknowingly triggering a request that compromises their Ghost site. The blast radius extends to any Ghost site running the vulnerable versions, potentially exposing sensitive data and allowing for complete site control.

Exploitation Context

This vulnerability was publicly disclosed on March 5, 2026. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. Given the nature of CSRF vulnerabilities, it's reasonable to assume that attackers may attempt to exploit this flaw, especially if a public exploit is released.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.02% (5% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentghost

Vendorosv

Affected rangeFixed in

>= 5.101.6, < 6.19.3 – >= 5.101.6, < 6.19.35.101.7

5.101.66.19.3

Weakness Classification (CWE)

CWE-352

Timeline

Reserved2026-03-04
Published2026-03-05
Modified2026-03-10
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation is to upgrade Ghost CMS to version 6.19.3 or later, which includes the necessary fix. For self-hosted instances using Docker, update the Ghost Docker image to the latest version. If immediate upgrading is not feasible, consider implementing stricter Content Security Policy (CSP) headers to limit the origins from which scripts can be executed. While not a complete solution, this can reduce the attack surface. Regularly review and audit your Ghost CMS configuration for any unusual activity.

How to fix

Update Ghost to version 6.19.3 or higher. This version fixes the incomplete CSRF protections that allowed the use of OTCs in login sessions different from the requesting session. The update mitigates the risk of attackers taking control of the site.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-29784 — CSRF in Ghost CMS?