CVE-2026-22595
Ghost has Staff Token permission bypassGhost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. External systems that have been authenticated via Staff Tokens for Admin/Owner-role users would have had access to these endpoints. This issue has been patched in versions 5.130.6 and 6.11.0.
We have discovered 6,927 live websites that are affected by CVE-2026-22595.
Affected Software
| Product |  Ghost |
| Category | Headless CMS |
| Vulnerable Domains | 6,927 live websites (50% of Ghost install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 19 versions ( 6.62% of all versions) |
Common Weakness Enumeration
CWE-863 Incorrect AuthorizationDetails
- Published - Jan 10, 2026
- Updated - Jan 12, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-22595 United States | 5,211 websites |
 Germany | 553 websites |
 GB | 228 websites |
 France | 169 websites |
 Singapore | 80 websites |
 Canada | 80 websites |
 Netherlands | 55 websites |
 Russia | 50 websites |
 Australia | 38 websites |
 Italy | 33 websites |
Website Distribution by TLD
Number of websites using CVE-2026-22595| .com | 3,753 websites |
| .org | 376 websites |
| .io | 334 websites |
| .net | 289 websites |
| .de | 173 websites |
| .co.uk | 125 websites |
| .co | 98 websites |
| .fr | 87 websites |
| .nl | 70 websites |
| .ca | 58 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-22595
Top websites that are affected by CVE-2026-22595. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.com | United States | *** | |
| **********.com | United States | *** | |
| *.*****************.org | United States | *** | |
| *****.org | Singapore | *,*** | |
| ********.com | United States | *,*** | |
| ************.com | United States | *,*** | |
| ****.************.com | United States | *,*** | |
| ****.****.com | United States | *,*** | |
| ***************.nl | Netherlands | **,*** | |
| *******.ca | Canada | **,*** |
FAQ
CVE-2026-22595 is Incorrect Authorization in Ghost
A total of 6,927 websites have been identified as vulnerable to CVE-2026-22595, based on global website indexing conducted by WebTechSurvey.
The Ghost is affected by the CVE-2026-22595 vulnerability.
Ghost versions up to 6.11 are vulnerable to CVE-2026-22595.
CVE-2026-22595 is resolved in version 6.11 of Ghost.