Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-xm76-r88j-vm3g | Automad has Broken Access Control: Unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint |
Sat, 30 May 2026 02:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 29 May 2026 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Marcantondahmen
Marcantondahmen automad |
|
| Vendors & Products |
Marcantondahmen
Marcantondahmen automad |
Thu, 28 May 2026 19:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /_api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is complete and returns full serialized user data in the JSON response body. This vulnerability is fixed in 2.0.0-beta.28. | |
| Title | Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint | |
| Weaknesses | CWE-200 CWE-306 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-05-30T02:10:27.586Z
Reserved: 2026-05-11T20:50:30.540Z
Link: CVE-2026-45332
Updated: 2026-05-30T02:10:20.166Z
Status : Deferred
Published: 2026-05-28T19:16:39.133
Modified: 2026-06-01T18:50:57.210
Link: CVE-2026-45332
No data.
OpenCVE Enrichment
Updated: 2026-05-29T15:48:02Z
Github GHSA