CVE-2026-22594

High

Published: 10 January 2026

Published

10 January 2026

Modified

15 January 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0001 2.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22594 is a high-severity Improper Authentication (CWE-287) vulnerability in Ghost Ghost. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires timely identification, reporting, and correction of the specific 2FA bypass vulnerability in Ghost, preventing exploitation of CVE-2026-22594.

IA-5 Authenticator Management good match

prevent

Authenticator management ensures proper implementation and verification of multi-factor authenticators like email 2FA, directly addressing improper authentication that allows skipping.

IA-11 Re-authentication partial match

prevent

Re-authentication for privileged staff actions provides an additional layer to enforce 2FA even if initial authentication is bypassed.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Auth bypass vuln in public-facing Ghost CMS directly enables T1190 exploitation and T1068 priv esc via skipped 2FA.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0.

Deeper analysisAI

CVE-2026-22594 is a vulnerability in the two-factor authentication (2FA) mechanism of Ghost, a Node.js content management system. It affects Ghost versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, where staff users can bypass email-based 2FA. The issue is classified under CWE-287 (Improper Authentication) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.

An authenticated staff user with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By skipping the email 2FA step, the attacker gains unauthorized access to staff-level functionalities, potentially allowing them to read sensitive data, modify content, or perform other privileged actions, resulting in high confidentiality and integrity violations without affecting availability.

The Ghost security advisory (GHSA-5fp7-g646-ccf4) and associated patches detail mitigation through upgrading to Ghost version 5.130.6 or 6.11.0, where the flaw is fixed via commits b59f707f670e6f175b669977724ccf16c718430b and fc7bc2fb0888513498154ec5cb4b21eccb88de07. Security practitioners should prioritize updating affected installations and review staff access controls to limit exposure.