CVE-2026-45332
Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
14th
Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /_api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is complete and returns full serialized user data in the JSON response body. This vulnerability is fixed in 2.0.0-beta.28.
| CWE | CWE-200 CWE-306 |
| Vendor | marcantondahmen |
| Product | automad |
| Published | May 28, 2026 |
| Last Updated | May 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for marcantondahmen automad
Be the first to know when new high vulnerabilities affecting marcantondahmen automad are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
marcantondahmen / automad
>= 2.0.0-alpha.1, < 2.0.0-beta.28