CVE-2026-45332

Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint

Assigner: GitHub_M
Reserved: 11.05.2026 Published: 28.05.2026 Updated: 28.05.2026

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /_api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is complete and returns full serialized user data in the JSON response body. This vulnerability is fixed in 2.0.0-beta.28.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	marcantondahmen
Product	automad
Versions	Version >= 2.0.0-alpha.1, < 2.0.0-beta.28 is affected

Vendor

marcantondahmen

Product

automad

Versions

Version >= 2.0.0-alpha.1, < 2.0.0-beta.28 is affected

References

Problem Types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE
CWE-306: Missing Authentication for Critical Function CWE

CVE-2026-45332 PUBLISHED

Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint

Metrics

Product Status

References

Problem Types