Executive Summary
A critical vulnerability (CVE-2026-53943) was discovered in Ghost, a popular blogging platform. An unauthenticated attacker can exploit this flaw to poison the cache, potentially leading to staff user account takeovers when the frontend and admin panel share the same domain. The vulnerability affects versions from v4.0 to v6.36.0 and is patched in v6.37.0.
Technical Analysis
The vulnerability is a cache-poisoning XSS (Cross-Site Scripting) issue. It occurs when an unauthenticated user sends a malicious `x-ghost-preview` header, which can alter the rendered frontend response. If the caching layer stores this response and serves it to subsequent visitors, an attacker can poison the cache with request-specific preview output. This is particularly dangerous when the frontend and admin panel are on the same domain, as it could lead to staff user account takeovers.
How It Gets Exploited
An unauthenticated remote attacker sends a crafted request with an `x-ghost-preview` header to the Ghost server. The server, being behind a shared caching layer (like Fastly, Cloudflare, or nginx proxy_cache), stores the response. When another user, potentially a staff member, requests the same page, the cached response is served, potentially including malicious content. If the attacker crafts a request that results in JavaScript execution in the context of a staff user's session, they could gain control of the staff account.
Impact Assessment
The vulnerability affects Ghost versions from v4.0 up to v6.36.0. According to the CVSS v3.1 score of 9.6, the impact is critical. An attacker could achieve arbitrary code execution or take over staff user accounts if the frontend and admin panel are on the same domain. The blast radius is significant, especially for sites with shared caching layers.
Recommended Actions
1. Update Ghost to version 6.37.0 or later immediately.
2. For self-hosters using Docker, update using Docker's official Ghost image and follow the documentation for updating Ghost.
3. For Ghost-CLI installs, follow the documentation on updating to the latest version.
4. Configure the caching layer to bypass cache for `x-ghost-preview` requests.
5. If you suspect a credential compromise, use the “Reset all authentication” dialogue under Settings / Danger Zone in Ghost v6.41.0 or later.
Sources
- GitHub Security Advisories: GHSA-62q6-4hv4-vjrw
- CVE-2026-53943