EXECUTIVE SUMMARY:
CVE-2026-45332 with a CVSS score of 7.5 is a broken access control flaw in Automad, a flat‑file CMS and template engine, affecting composer/automad/automad versions from 2.0.0‑alpha.1 through 2.0.0‑beta.27. The vulnerability arises because the setup endpoint “/_api/user-collection/create-first-user” remains publicly reachable after initial configuration and returns the full serialized user object in the JSON response, inadvertently exposing every administrator’s bcrypt password hash and, in version 2.0.0‑beta.27, the TOTP secret used for two‑factor authentication. An attacker can exploit this by sending a single unauthenticated POST request over the network to the endpoint; no credentials, privileges, or user interaction are required. The attacker gains the ability to harvest password hashes and authentication secrets, which can be subjected to offline brute‑force or dictionary attacks to recover plaintext passwords and bypass 2FA, effectively granting full administrative control. Business impact includes loss of confidentiality, potential full system compromise, and exposure of internal file system paths, enabling further targeted attacks. Exploitation requires only that the vulnerable Automad instance be reachable via HTTP and that the insecure endpoint remain enabled.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45332 with a CVSS score of 7.5 is a broken access control flaw in Automad, a flat‑file CMS and template engine, affecting composer/automad/automad versions from 2.0.0‑alpha.1 through 2.0.0‑beta.27. The vulnerability arises because the setup endpoint “/_api/user-collection/create-first-user” remains publicly reachable after initial configuration and returns the full serialized user object in the JSON response, inadvertently exposing every administrator’s bcrypt password hash and, in version 2.0.0‑beta.27, the TOTP secret used for two‑factor authentication. An attacker can exploit this by sending a single unauthenticated POST request over the network to the endpoint; no credentials, privileges, or user interaction are required. The attacker gains the ability to harvest password hashes and authentication secrets, which can be subjected to offline brute‑force or dictionary attacks to recover plaintext passwords and bypass 2FA, effectively granting full administrative control. Business impact includes loss of confidentiality, potential full system compromise, and exposure of internal file system paths, enabling further targeted attacks. Exploitation requires only that the vulnerable Automad instance be reachable via HTTP and that the insecure endpoint remain enabled.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-xm76-r88j-vm3g