CVE-2026-45332

HIGH

Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-45332. PoCs published by lorenzocamilli.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-45332, demonstrating an unauthenticated credential dump vulnerability in Automad CMS. The exploit leverages a broken access control flaw in the `/_api/user-collection/create-first-user` endpoint to retrieve bcrypt password hashes and TOTP secrets of all administrator accounts.

Description

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /_api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is complete and returns full serialized user data in the JSON response body. This vulnerability is fixed in 2.0.0-beta.28.

Exploits (1)

github WORKING POC

by lorenzocamilli · poc

https://github.com/lorenzocamilli/CVE-2026-45332-PoC

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2026-45332, demonstrating an unauthenticated credential dump vulnerability in Automad CMS. The exploit leverages a broken access control flaw in the `/_api/user-collection/create-first-user` endpoint to retrieve bcrypt password hashes and TOTP secrets of all administrator accounts.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Automad CMS versions >= 2.0.0-alpha.1, <= 2.0.0-beta.27

No auth needed

Prerequisites: A running Automad CMS instance on an affected version

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Jun 02, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/marcantondahmen/automad/security/advisories/GHSA-xm76-r88j-vm3g

Scores

CVSS v3 7.5

EPSS 0.0006

EPSS Percentile 18.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-200 CWE-306

Status published

Products (2)

automad/automad 2.0.0-alpha.1 - 2.0.0-beta.28Packagist

marcantondahmen/automad >= 2.0.0-alpha.1, < 2.0.0-beta.28

Published May 28, 2026

Tracked Since May 29, 2026