ANT-2026-H5T8XKWR · TryGhost/Ghost

sql-injection critical

GHSA-w52v-v783-gw97

Severity Claude critical · Security research firm - · Maintainer critical

Discovered by Claude Mythos Preview

REPORT

The report below was sent to the maintainer and sealed at approval.

ANT-2026-H5T8XKWR: SQL injection in Content API

The Ghost Content API, which is publicly accessible by design, fails to properly sanitize the slug filter parameter in query strings. An unauthenticated attacker can inject SQL via a crafted slug:[...] filter value. This allows reading arbitrary data from the Ghost database, including staff API keys and other sensitive records. Because the Content API key is intentionally public, no authentication barrier exists.

Target

Project: TryGhost/Ghost
Discovery: static analysis — not yet dynamically reproduced

Technical Details

User-supplied input in the Content API filter query-string parameter (specifically slug:[...] expressions) is incorporated into a SQL query without sufficient sanitization, permitting injection of arbitrary SQL and exfiltration of any row in the database.

Reproduction

This finding was identified by static analysis and has not yet been dynamically reproduced. The Technical Details section above describes the code path; a trigger input is not included.

[No reproducer or sanitizer output attached — request from cvd@anthropic.com if needed.]

Acknowledgement

This vulnerability was discovered by Claude, Anthropic's AI assistant, and triaged by the Anthropic security team in collaboration with Anthropic Research. Please direct questions to security-cvd@anthropic.com and reference ANT-2026-H5T8XKWR.

Reference: ANT-2026-H5T8XKWR
Anthropic CVD Policy: https://anthropic.com/security/cvd-policy

UPSTREAM FIX

https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97

TIMELINE

Dates from discovery through public reveal.

  1. 2026-02-18 Patch released
  2. 2026-03-29 Reported to tracker
  3. 2026-05-08 Sent to maintainer
  4. 2026-05-08 Maintainer acknowledged
  5. 2026-05-20 Publicly revealed
PROVENANCE

SHA-3-512 hash:

6479c89ca89975bde1a83168dcdaf7c0efffd8b9c3938659365bc7a4974131645c651422ea7bf38a531543cbeecea4d68d0743fa17e25e35e030028719e4c652

Committed 2026-05-08 09:37 PT

Revealed 2026-05-20 00:40 PT

Verify (download preimage.json)

Show preimage JSON 
{
  "ant_id": "ANT-2026-H5T8XKWR",
  "bug_class": "sql-injection",
  "claude_severity": "critical",
  "commit_sha": null,
  "created_at": "2026-03-29T20:43:35+00:00",
  "description": "The Ghost Content API, which is publicly accessible by design, fails to properly sanitize the slug filter parameter in query strings. An unauthenticated attacker can inject SQL via a crafted `slug:[...]` filter value. This allows reading arbitrary data from the Ghost database, including staff API keys and other sensitive records. Because the Content API key is intentionally public, no authentication barrier exists.",
  "discovered_at": null,
  "location": null,
  "poc_sha256": null,
  "preimage_version": 1,
  "project": "TryGhost/Ghost",
  "reproduction": null,
  "technical_details": "User-supplied input in the Content API `filter` query-string parameter (specifically `slug:[...]` expressions) is incorporated into a SQL query without sufficient sanitization, permitting injection of arbitrary SQL and exfiltration of any row in the database.",
  "title": "SQL injection in Content API",
  "vendor_severity": null
}