CVE-2026-45332: Automad Unauthenticated Administrator Credential Exposure
Automad versions 2.0.0-alpha.1 through 2.0.0-beta.27 contain a critical configuration flaw that exposes administrator password hashes to anyone on the internet. The setup endpoint designed to create the first user account remains publicly accessible after installation completes, leaking sensitive credential data without authentication. An attacker can retrieve every administrator's bcrypt hash with a single request, enabling offline password cracking attacks.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-200, CWE-306
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /_api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is complete and returns full serialized user data in the JSON response body. This vulnerability is fixed in 2.0.0-beta.28.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This broken access control vulnerability (CWE-200, CWE-306) stems from insufficient access controls on the /_api/user-collection/create-first-user endpoint. The endpoint is designed for initial setup but fails to disable or restrict access once configuration is complete. When invoked via POST request, it returns the full serialized user collection including bcrypt password hashes for all administrator accounts. The vulnerability affects all versions from 2.0.0-alpha.1 to 2.0.0-beta.27; version 2.0.0-beta.28 and later restrict endpoint access appropriately. An attacker requires only network access to the Automad instance and can enumerate credentials without authentication or privileged credentials.
Business impact
Organizations running vulnerable Automad instances face immediate risk of administrator account compromise. Because bcrypt hashes are exposed, attackers can perform offline brute-force or dictionary attacks against administrator passwords at scale and without rate limiting. Successful compromise grants full administrative access to the CMS, enabling data theft, content manipulation, malware injection, and lateral movement within the hosting environment. The vulnerability is trivial to exploit and leaves no authentication trail, making detection difficult until after unauthorized activity occurs.
Affected systems
Automad flat-file CMS versions 2.0.0-alpha.1 through 2.0.0-beta.27 are affected. The vulnerable endpoint affects all installations that completed initial setup without subsequently patching. Later versions (2.0.0-beta.28 and beyond) have corrected the access control issue. Self-hosted and managed instances using affected versions are equally at risk; exposure depends on network accessibility to the Automad application.
Exploitability
Exploitability is very high. The attack requires no authentication, no special privileges, and no user interaction. An attacker simply sends a POST request to a known API endpoint and receives administrator password hashes in the response. The simplicity and lack of friction make this vulnerability trivial to weaponize at scale. No credential guessing, no multi-step exploitation chains, and no race conditions are required. The only limiting factor is whether the vulnerable endpoint is network-reachable.
Remediation
Upgrade to Automad version 2.0.0-beta.28 or later, which restricts access to the setup endpoint after initial configuration. Verify against the vendor advisory that your target version is included in the patched release. If immediate patching is not feasible, temporarily restrict network access to the /_api/user-collection/create-first-user endpoint at the firewall or reverse proxy layer. Additionally, assume all administrator password hashes have been exposed; force administrator password resets after patching and monitor for unauthorized administrative activity.
Patch guidance
Apply Automad version 2.0.0-beta.28 or later. Verify the patch by confirming the /_api/user-collection/create-first-user endpoint returns an access denied or authentication required response after setup completes. Test in a non-production environment first to confirm no service disruption. After patching, reset all administrator account passwords to invalidate any compromised hashes and clear session tokens to force re-authentication.
Detection guidance
Search logs for POST requests to /_api/user-collection/create-first-user from external IP ranges or during off-hours. Monitor for successful HTTP 200 responses containing user data JSON from that endpoint post-deployment. Check for bcrypt hashes ($2a$, $2b$, $2y$ prefixes) appearing in access logs or WAF logs associated with this endpoint. Correlate endpoint access with subsequent administrative login activity from unfamiliar IP addresses or unusual times. Examine Automad's internal logs for unauthorized user creation or modification events.
Why prioritize this
This vulnerability scores CVSS 7.5 (HIGH) and warrants immediate patching. The combination of zero authentication requirement, trivial exploitability, and direct exposure of administrator credentials creates urgent risk. While not yet listed on CISA's KEV catalog, the vulnerability is immediately weaponizable and requires no sophisticated attack infrastructure. Any Automad instance exposed to untrusted networks should be treated as compromised until patched and audited.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects high severity driven by network-accessible exploitation (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), high confidentiality impact (C:H), and no integrity or availability impact. The score accurately reflects the credential exposure risk but does not fully capture the post-exploitation danger of administrative account compromise. Organizations should treat this as critical if their Automad instances are internet-facing or accessible to untrusted networks.
Frequently asked questions
Can an attacker crack the exposed bcrypt hashes without specialized hardware?
Yes, bcrypt hashes can be cracked offline using standard GPUs or distributed cracking services. Weak administrator passwords are especially vulnerable. The hashes themselves are not the exploit—they are the outcome of the vulnerability. An attacker gains time and unlimited attempts to crack them without rate limiting or detection during the cracking process.
Is there any difference in risk between alpha, beta, and release versions?
All versions from 2.0.0-alpha.1 through 2.0.0-beta.27 are affected identically. The vulnerability was introduced early in the 2.0.0 development cycle and persisted through beta. Version 2.0.0-beta.28 is the first patched release; verify your installed version against the vendor advisory before declaring compliance.
If my Automad instance is behind a firewall with restricted network access, am I still at risk?
Risk is significantly reduced but not eliminated if network access is properly restricted to trusted networks only. However, if the instance is accessible to internal users, compromised internal systems, or developers who may be socially engineered, the vulnerability remains exploitable. Patching is still strongly recommended regardless of network posture.
How can I determine if my Automad installation has been exploited?
Check administrator account creation timestamps and password change history; look for unexpected accounts. Search web server access logs for POST requests to /_api/user-collection/create-first-user with HTTP 200 responses, especially from suspicious IP addresses. Review Automad's configuration and user database directly if accessible. Consider the breach assumption: if the vulnerable version was exposed to the internet, assume the hashes were harvested and treat all administrator credentials as compromised until reset.
This analysis is provided for informational purposes and reflects the vulnerability as described in published advisories as of the modification date. Specific version numbers, patch availability, and affected configurations should be verified against official vendor guidance and security advisories. Organizations should test patches in non-production environments and conduct thorough post-patch audits. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for any damages resulting from reliance on this information. Always consult your vendor's official advisory and your security team before making remediation decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability
- CVE-2026-10243HIGHSmart Parking System 1.0 Authentication Bypass – Remote Admin Access
- CVE-2026-10281HIGHEnderfga claw-orchestrator Authentication Bypass – Patch Available
- CVE-2026-10617HIGHGoClaw Webhook Authentication Bypass – Remote Exploitation
- CVE-2026-24088HIGHQualcomm Bootloader Cryptographic Verification Flaw (CVSS 8.2)
- CVE-2026-24090HIGHQualcomm Partition Table Cryptographic Flaw Enables Boot Modification
- CVE-2026-36603HIGHMercusys AC12G Unauthenticated UPnP Port Forwarding Vulnerability
- CVE-2026-36611HIGHMercusys AC12G Memory Disclosure Vulnerability