HarborGuard / CVE
Back to search
HIGHCVE-2026-45332Published Modified CNA GitHub_M

CVE-2026-45332: Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /_api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is complete and returns full serialized user data in the JSON response body. This vulnerability is fixed in 2.0.0-beta.28.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Broken access control in Automad (a flat-file CMS) exposes administrator bcrypt password hashes and TOTP secrets to any unauthenticated attacker. The vulnerability is reachable over the network with no credentials required, by sending a single POST request to the /_api/user-collection/create-first-user endpoint, which remains publicly accessible after initial setup and returns full serialized user data in its JSON response. Successful exploitation gives an attacker the material needed to mount offline password-cracking attempts or bypass two-factor authentication. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from affected Automad versions. Any image carrying a vulnerable release (2.0.0-alpha.1 through 2.0.0-beta.27) is flagged automatically in registry and CI pipeline scans.

Available
Triage

HarborGuard scores this CVE at 7.5 HIGH (CVSS v3.1) and surfaces it accordingly in each customer environment, weighted against the compliance policy configured for that environment. Findings are routed to the appropriate team inbox based on per-org ownership rules, so the right engineers see the alert without manual triage.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the maintainer ships a resolved release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to reach the Automad service via HTTP/HTTPS to send the malicious POST request.

  • AuthenticationNot required

    No credentials or session token of any kind are needed; the endpoint is publicly accessible to any caller.

  • Victim interactionNot required

    The attacker makes a direct API request and receives the response with no action required from any user or administrator.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; a single well-formed POST request is sufficient with no race conditions or environmental prerequisites.

Blast Radius

  • Retrieves the bcrypt password hash of every administrator account, providing offline cracking material that can yield plaintext credentials if a weak or reused password was chosen.
  • Exposes TOTP secrets associated with administrator accounts, allowing an attacker to generate valid one-time codes and defeat two-factor authentication protections.
  • Enables account takeover of administrator accounts, granting full control over CMS content, templates, and configuration once credentials are cracked or TOTP is bypassed.

How HarborGuard Handles This

Available on HarborGuard: because no fix version has been published, HarborGuard continuously monitors this advisory on every ingest cycle and will trigger a patched-image rebuild automatically as soon as the upstream maintainer releases a resolved version. For customers who opt into auto-remediation, that rebuild will be followed by a regression run and a PR opened against affected workloads. In the interim, compensating controls worth applying include network-policy rules that restrict external access to the /_api/user-collection/create-first-user endpoint (for example, via an ingress allowlist or a WAF rule blocking POST requests to that path), egress filtering to limit lateral movement if a host is compromised, and auditing administrator account credentials and TOTP secrets for rotation given that hashes may already have been harvested. HarborGuard will surface the rebuilt image and close the finding automatically once the upstream fix is confirmed ingested.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • marcantondahmen / automad
    >= 2.0.0-alpha.1, < 2.0.0-beta.28
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References