{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/automad--2.0.0-alpha.1--2.0.0-beta.27/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Automad (\u003e= 2.0.0-alpha.1, \u003c= 2.0.0-beta.27)"],"_cs_severities":["high"],"_cs_tags":["automad","broken-access-control","credential-access","cve-2026-45332"],"_cs_type":"advisory","_cs_vendors":["Automad"],"content_html":"\u003cp\u003eAutomad, a file-based content management system, is vulnerable to a broken access control issue (CVE-2026-45332) affecting versions 2.0.0-alpha.1 through 2.0.0-beta.27. The vulnerability resides in the \u003ccode\u003e/_api/user-collection/create-first-user\u003c/code\u003e endpoint, which, after initial configuration, should be restricted. However, it remains publicly accessible and returns sensitive user data, including bcrypt password hashes for all administrator accounts. Version 2.0.0-beta.27 also exposes TOTP secrets. An unauthenticated attacker can exploit this vulnerability with a single POST request. This exposure allows for offline brute-force attacks on password hashes and potential bypass of two-factor authentication (in version 2.0.0-beta.27), posing a significant risk to Automad installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies an Automad instance running a vulnerable version (2.0.0-alpha.1 to 2.0.0-beta.27).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request to the \u003ccode\u003e/_api/user-collection/create-first-user\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe Automad server processes the request without authentication checks.\u003c/li\u003e\n\u003cli\u003eThe server retrieves serialized user data, including bcrypt password hashes and, in version 2.0.0-beta.27, TOTP secrets.\u003c/li\u003e\n\u003cli\u003eThe server returns the serialized user data in the JSON response body to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the bcrypt password hashes from the JSON response.\u003c/li\u003e\n\u003cli\u003eThe attacker performs an offline brute-force or dictionary attack on the extracted password hashes to recover plaintext passwords.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker uses the recovered plaintext passwords and, if applicable, the TOTP secret to gain unauthorized access to the Automad administration panel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAny publicly accessible Automad installation within the specified version range is vulnerable. Successful exploitation leads to the exposure of administrator account credentials, potentially granting attackers full control over the affected website. Version 2.0.0-beta.27 also exposes TOTP secrets, enabling bypass of two-factor authentication if a plaintext password is recovered. The response also exposes the absolute filesystem path to the configuration directory, which, while publicly documented, may expose environment-specific information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all Automad installations to version 2.0.0-beta.28 or later to remediate CVE-2026-45332 as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Automad Unauthenticated Password Hash Exposure Attempt\u0026rdquo; to detect POST requests to the vulnerable endpoint \u003ccode\u003e/_api/user-collection/create-first-user\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual POST requests to the \u003ccode\u003e/_api/user-collection/create-first-user\u003c/code\u003e endpoint, focusing on requests originating from unexpected IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T21:33:50Z","date_published":"2026-05-27T21:33:50Z","id":"https://feed.craftedsignal.io/briefs/2026-05-automad-bcrypt-exposure/","summary":"Automad versions 2.0.0-alpha.1 through 2.0.0-beta.27 are vulnerable to CVE-2026-45332, a Broken Access Control vulnerability that allows an unauthenticated attacker to retrieve bcrypt password hashes of administrator accounts using a single POST request to the `/_api/user-collection/create-first-user` endpoint, potentially leading to credential compromise and information disclosure.","title":"Automad Unauthenticated Exposure of Administrator Password Hashes and TOTP Secrets","url":"https://feed.craftedsignal.io/briefs/2026-05-automad-bcrypt-exposure/"}],"language":"en","title":"CraftedSignal Threat Feed — Automad (\u003e= 2.0.0-Alpha.1, \u003c= 2.0.0-Beta.27)","version":"https://jsonfeed.org/version/1.1"}