CVE-2026-45332 marcantondahmen CVE debrief

Who should care

Organizations running Automad CMS versions 2.0.0-alpha.1 through 2.0.0-beta.27; security teams responsible for content management system security; administrators of flat-file CMS deployments; penetration testers and bug bounty programs evaluating Automad installations

Technical summary

The vulnerability exists in Automad's user creation API endpoint `/_api/user-collection/create-first-user`, which is intended for initial setup but remains accessible after configuration completion. The endpoint accepts POST requests without authentication and returns complete serialized user objects including bcrypt password hashes in the JSON response body. This represents a failure to implement proper access controls (CWE-306) and information exposure (CWE-200). The flat-file architecture of Automad means user data is stored in the filesystem, and the API's response structure leaks this sensitive credential material to unauthenticated network attackers.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Automad to version 2.0.0-beta.28 or later to remediate this vulnerability
• If immediate patching is not possible, restrict network access to the `/_api/user-collection/create-first-user` endpoint at the web server or WAF level
• Review access logs for POST requests to `/_api/user-collection/create-first-user` that may indicate exploitation attempts
• Rotate all administrator passwords after patching, as bcrypt hashes may have been exposed
• Verify that setup endpoints are properly disabled or access-controlled after initial system configuration

Evidence notes

The CVE description and GitHub Security Advisory confirm the affected version range (2.0.0-alpha.1 to 2.0.0-beta.27) and the specific endpoint (`/_api/user-collection/create-first-user`) that exposes administrator password hashes. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) supports the HIGH severity rating with a base score of 7.5.

Official resources