Cache-Poisoning Takeover Flaw in Publishing Platform Ghost (CVE-2026-53943) — Update to v6.37.0
Ghost, a popular tool for blogs and newsletters, has a flaw that lets an attacker poison the site's display from outside and potentially take over the operator's account. CVE-2026-53943, severity CVSS 9.6. A header sent without authentication can serve a poisoned display to other visitors, and when the public site and admin share one domain it can lead to staff takeover. Versions 4.0.0–6.36.x are affected; update to 6.37.0.
Makoto Horikawa
Backend Engineer / AWS / Django
Ghost, a popular tool for blogs and newsletters, has a flaw that lets an attacker poison the site's display from outside and potentially take over the operator's account. CVE-2026-53943, severity CVSS 9.6. A header sent without authentication can serve a poisoned display to other visitors, and when the public site and admin share one domain it can lead to staff takeover. Versions 4.0.0–6.36.x are affected; update to 6.37.0.
Ghost, a popular platform for building blogs and sending newsletters, has been found to contain a vulnerability (a software flaw) that lets an attacker poison the site's display from outside and potentially take over the operator's account. It is tracked as CVE-2026-53943, with a severity of 9.6 out of 10 (Critical).
The affected versions are 4.0.0 through the 6.36.x line. It was reported by GitHub and disclosed on June 24, 2026. The fix is included in 6.37.0. When an attacker sends a specific header (information attached to a request) without authentication, a poisoned display can be served to other visitors too, and especially when the public site and the admin panel run on the same domain, it can lead to takeover of an editor's or staff member's account.
What kind of service is Ghost?
Ghost is an open-source publishing/blogging tool (CMS) that handles creating and publishing articles, managing members, paid subscriptions, and sending email newsletters all in one. Like WordPress, you can run it on your own server, and it is favored by professional writers and news outlets. According to its official site, publications running on Ghost generate over $100 million in combined annual revenue, with users including 404 Media, Platformer, and Y Combinator.
On high-traffic sites, it is common to put a cache (a mechanism that temporarily stores and reuses a once-built display) in front to speed things up. This flaw is the kind known as "cache poisoning," whose danger jumps when combined with such a cache.
Who targets it, what they do, and what happens
The targets are operators running a site on Ghost with a shared cache in front for speed, and with the public site and admin panel on the same domain. This is not a special configuration; it arises from a combination of common setups. The attack requires no login on the operator's side and can be carried out by an outside third party.
What an attacker does is send a request with a specific "x-ghost-preview" header, make the site build a display with different contents than normal, and get the shared cache to memorize it. Once the cache is poisoned, the poisoned display is served as-is to other visitors who access the site afterward.
The most dangerous case is when the public site and the admin panel share the same domain. Through the poisoned response, an editor's or staff member's account that can edit the site may be taken over. Once that happens, it leads to damage that shakes the whole site's trust: tampered articles, planted misinformation, access to member data, and the addition of rogue accounts. For readers, a site they trust could be rewritten without their knowledge.
It is reported that running the public site and the admin panel on separate domains eliminates this takeover risk. Vulnerabilities that begin to be used in real attacks can be added to the U.S. agency CISA's "list of vulnerabilities under active attack"; we maintain a Japanese-language overview in our CISA KEV Dashboard (Japanese edition).
What the vulnerability is
A cache works on the premise that "the same URL returns the same contents." The problem here is that this premise can be broken with a header attached from outside.
CVE-2026-53943: a preview header poisons the cache, leading to takeover (CVSS 9.6)
According to the published information, the "x-ghost-preview" header sent without authentication caused Ghost to change the response of the public site. With a shared cache in front of Ghost, this altered response is stored in the cache and served to other visitors too. In environments where the public site and admin panel share the same domain, this poisoning is described as potentially leading to staff account takeover.
In the fixed version 6.37.0, the handling of this header was reworked. A CMS also pulls in many externally sourced themes and plugins, so inspecting all the components that make up your site is worth revisiting alongside the ideas in our OSS supply-chain scanner overview.
A quick check of whether you are affected
Affected are 4.0.0 through the 6.36.x line, fixed in 6.37.0. The combination of "a shared cache" and "the public site and admin panel on the same domain" is the most dangerous. You can check in the version shown in the admin panel.
| Version | Public site & admin domain | What to do |
|---|---|---|
| 4.0.0 – 6.36.x | Same domain (most dangerous) | Top priority: update to 6.37.0 |
| 4.0.0 – 6.36.x | Separate domains | Takeover risk lower, but update to 6.37.0 |
| 6.37.0 and later | — | No action needed |
Splitting the public site and admin panel across separate domains lowers the takeover risk, but the problem of a poisoned display being served to other visitors remains, so updating to 6.37.0 or later is recommended in any case.
What to do now
The top priority is to update Ghost to 6.37.0 or later. If you use Ghost(Pro) hosting, the provider updates it for you, but if you run it on your own server, raise the version urgently.
If you cannot update immediately, these mitigations help: at the cache in front (CDN or reverse proxy), strip the "x-ghost-preview" header, or configure pages whose response varies on this header not to be cached. Where possible, split the public site and admin panel onto separate domains. Also inspect for any added admin or staff accounts you do not recognize and any suspicious article changes.
Summary
Ghost's CVE-2026-53943 is a vulnerability in which a preview header that can be sent without authentication poisons the display and serves it to other visitors via a shared cache. When the public site and admin panel share the same domain, it can lead to staff account takeover. Its severity is CVSS 9.6, it affects 4.0.0 through the 6.36.x line, and it is fixed in 6.37.0.
Ghost is used by everything from personal blogs to paid media, so the blow to trust from a takeover is not small. If you run it on your own server, first check your version and, if it is old, update now. If new vulnerabilities concerning Ghost emerge, we will track them by adding to this article.