Listen to this Post
From version 5.101.6 to 6.19.2, the Ghost CMS suffered from incomplete CSRF protections on the `/session/verify` endpoint. This endpoint handles One-Time Codes (OTCs) used in login flows. The flaw allowed an OTC generated for one user session to be accepted and used within a completely different, attacker-controlled session. In a phishing scenario, an attacker could trick a victim into completing a login or verification step. The attacker could then potentially use the captured OTC in their own browser session to gain authenticated access to the victim’s Ghost site. This bypasses the intended security boundary that ties a verification code to the specific session that requested it. The vulnerability stems from a failure to properly validate the session context against the token context. The issue was resolved in Ghost version 6.19.3 by enforcing strict session binding for all OTC verification attempts.
dailycve form:
Platform: Ghost CMS
Version: 5.101.6 to 6.19.2
Vulnerability : CSRF
Severity: High (7.5)
Date: March 7, 2026
Prediction: Patch already available
What Undercode Say:
Analytics:
The vulnerability affects all Ghost CMS instances running versions between 5.101.6 and 6.19.2. The CVSS vector (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates a network-based attack with high complexity that requires user interaction. Successful exploitation leads to a full account takeover with high impact on confidentiality, integrity, and availability .
Exploit:
An attacker would first set up a phishing page mimicking a Ghost login. They would then lure an authenticated Ghost user to this page, which initiates a legitimate OTC request to the victim’s session. The attacker, in their own separate session, would simultaneously hit the `/session/verify` endpoint with the OTC. Due to the CSRF flaw, the server incorrectly validates the token against the attacker’s session instead of rejecting it.
Example CURL command demonstrating the vulnerable endpoint (Conceptual) Victim's browser (Session A) requests an OTC curl -X POST https://victim-ghost.com/session/request_otc -H "Cookie: session=A" Attacker (Session B) attempts to use the stolen OTC curl -X POST https://victim-ghost.com/session/verify \ -H "Cookie: session=B" \ -d "otc=STOLEN_OTC_CODE"
Protection:
- Immediate Upgrade: Update your Ghost CMS instance to version 6.19.3 or later. This is the official patch provided by Ghost.
- Security Patches: Ensure all underlying Node.js dependencies and the server operating system are up-to-date.
- Phishing Awareness: Conduct user training to recognize and avoid phishing attempts that may try to capture OTCs.
- Code Audit: If running a custom version, ensure the `/session/verify` endpoint strictly validates the `session` ID associated with the OTC request.
Impact:
Successful exploitation allows an attacker to take over a victim’s Ghost site, leading to data breaches, site defacement, or using the compromised site for further malicious activities.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

