Vendor
Automad versions 2.0.0-alpha.1 through 2.0.0-beta.27 are vulnerable to CVE-2026-45332, a Broken Access Control vulnerability that allows an unauthenticated attacker to retrieve bcrypt password hashes of administrator accounts using a single POST request to the `/_api/user-collection/create-first-user` endpoint, potentially leading to credential compromise and information disclosure.