CVE-2026-45332

Name of the Vulnerable Software and Affected Versions Automad versions 2.0.0-alpha.1 through 2.0.0-beta.27

Description A broken access control issue allows an unauthenticated attacker to retrieve the bcrypt password hashes of all administrator accounts via a single POST request. The setup endpoint "/ api/user-collection/create-first-user" remains publicly accessible after the initial configuration is finished and returns full serialized user data in the JSON response body. This exposure includes the absolute filesystem path to the configuration directory. In version 2.0.0-beta.27, the response also includes the TOTP (Time-based One-Time Password) secret, which could allow an attacker to bypass two-factor authentication if a plaintext password is recovered through offline brute-force or dictionary attacks on the exposed bcrypt hashes.

Recommendations Update to version 2.0.0-beta.28 or later.