CVE-2026-45332
Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint
Vexday Risk Score
41Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 7.5EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
28 May 2026Published on NVD
02 Jun 2026Public PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /_api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is complete and returns full serialized user data in the JSON response body. This vulnerability is fixed in 2.0.0-beta.28.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
marcantondahmen · automadpublic PoCs found — 1
githubgithub.com/lorenzocamilli/CVE-2026-45332-PoC★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.