Launch Week Day 1: Announcing Security Design Review
Start for Free
HIGH 7.5 npm

Ghost has incomplete CSRF protections around OTC use

GHSA-9m84-wc28-w895 · BIT-ghost-2026-29784 · CVE-2026-29784

Published · Modified

Description

Impact

Incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site.

Vulnerable versions

This vulnerability is present in Ghost from v5.101.6 up to v6.19.2.

Patches

v6.19.3 contains a fix for this issue.

How to update

For self-hosters using Docker, find Docker's official Ghost image here. Updating a Docker-based Ghost instance is documented here.

If a project's Ghost is a Ghost-CLI install see the documentation on updating it to the latest version here.

For more information

If there are any questions or comments about this advisory, send an email to security@ghost.org.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes