A critical cache poisoning vulnerability in Ghost allows unauthenticated attackers to hijack staff sessions if the frontend and admin panel share a domain.

The application fails to properly validate the x-ghost-preview header when operating behind a shared caching layer. This allows an unauthenticated attacker to inject malicious content into the cache, which is then served to subsequent users, including administrative staff.

The vulnerability carries a CVSS score of 9.6, reflecting the high potential for full account takeover of administrative accounts. Successful exploitation could lead to unauthorized access to sensitive site configurations, content modification, and potential data exfiltration, resulting in significant reputational and operational damage.

Immediate Action: Upgrade your Ghost installation to version 6.37.0 or later immediately to resolve the header validation logic flaw.

Proactive Monitoring: Review application access logs for anomalous requests containing the "x-ghost-preview" header and monitor for unauthorized administrative logins.

Compensating Controls: If immediate patching is not feasible, ensure that the frontend and admin panel are hosted on distinct domains to prevent cross-site session manipulation.

Public Exploit Available: No

This vulnerability presents a severe risk to the integrity of administrative accounts. Organizations should prioritize the update to version 6.37.0 as the primary mitigation strategy. Failure to patch may expose the administrative interface to session hijacking if shared caching configurations are present.