We’ve been made aware of a security vulnerability in Ghost versions 3.18.0 to 4.15.0. This is patched in 4.15.1 - which has already been released and rolled out on on Ghost(Pro). Self-hosters should update to 4.15.1 (or 3.42.6 for those still on v3) as soon as possible.
An error in the implementation of the email change functionality for members means that the email address registered to a member’s profile can be changed without their consent.
Ghost instances without members functionality enabled are not affected.
Ghost(Pro) has already been patched. As Ghost(Pro) is maintained by the Ghost core team, it is always patched immediately when any security incident is reported.
Patch & Workarounds:
The patch in 4.15.1 and 3.42.6 adds a new authenticated endpoint for updating member email addresses. Updating Ghost is the quickest complete solution.
As a workaround, if for any reason you cannot update your Ghost instance, you can block access to the endpoint manually at your edge. For details see advisory.
Full details of the vulnerability have been published through GitHub Advisories. We’ve also published a notification to all affected sites that will appear in Ghost Admin and shared the details here on the forum. Affected Ghost 4.x versions will also self-notify site owners by email.
We’re grateful to everyone finding and reporting vulnerabilities responsibly following our security policy.