{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreichoo2zmyu52we2aguyr6izfvtc7vv4g4b56ttinq3qh7fd3gdflu",
"uri": "at://did:plc:cp5oragmzw4fq7opnsbanqnq/app.bsky.feed.post/3mkd5xlfd3yf2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreibmfnqvworwungtprio6rb462ebobqyatbnikntrxcgtwsqzejhdm"
},
"mimeType": "image/webp",
"size": 18548
},
"description": "And you might need to roll your keys, too.",
"path": "/blog/if-you-are-on-less-than-ghost-6-19-1-its-way-past-time-to-upgrade/",
"publishedAt": "2026-04-25T13:37:16.000Z",
"site": "https://www.spectralwebservices.com",
"tags": [
"SQL injection in Content API### Impact A SQL injection vulnerability existed in Ghost’s Content API that allowed unauthenticated attackers to read arbitrary data from the database. ### Vulnerable Versions This vulne…GitHubTryGhost",
"https://forum.ghost.org/t/if-you-are-on-ghost-6-19-1-you-really-need-to-update/62706",
"Buy me a tea ☕️"
],
"textContent": "Hey self-hosting folks,\n\n**REMINDER: I don’t work for Ghost. The content below is my own opinion, not that of the Ghost Foundation, blah blah blah. Might be wrong, and possibly worth only what you paid for it (nothing).**\n\nIn case you’ve missed it, Ghost had a baaad security vulnerability back in February, disclosed here:\n\nSQL injection in Content API### Impact A SQL injection vulnerability existed in Ghost’s Content API that allowed unauthenticated attackers to read arbitrary data from the database. ### Vulnerable Versions This vulne…GitHubTryGhost\n\nThat’s a bad one. Specifically, it allows an attacker to read your whole site, include admin api keys, and once they’ve got the admin api key, there’s a lot that can go wrong.\n\n💡\n\nIf you are in managed hosting (at least Ghost Pro, Synaps, Magic Pages), you got patched as soon as 6.19.1 was released. You can probably give a sigh of relief and stop reading. This post is mostly for self-hosters who haven't upgraded, or who waited a while before upgrading.\n\nSo, if you’re self hosting, you should IMMEDIATELY upgrade. Do not pass go, do not collect $200, just upgrade. (The vulnerability is there all the way back to 3.x, so older sites are not safe.)\n\nIf you updated right when 6.19.1 was released, it might be ok to assume that your site wasn’t compromised before you updated, since the vulnerability probably wasn’t widely known… maybe. If you’re still at < 6.19.1 NOW, you need to seriously consider the possibility that attackers might already have your admin api key, and that upgrading will remove the ability to get a key, but not fix any existing key leakage.\n\nMy possibly over-cautious thought is that you absolutely _need_ to __ upgrade __ immediately _, and then you should probably roll all your keys, including staff tokens_. I’m not sure if this is overly alarmist, but better safe than sorry? My thinking here is that\n\n**NOTE: If you have services connected through these keys, you WILL break them by doing this. You’ll need to revisit each service and provide the newly regenerated key/token. Yes, that sounds like a pain.**\n\nStaff tokens can be regenerated from the individual staff profile (only for the logged in user). Scroll down and click ‘regenerate’. Suspend any admin or enhanced editor users you can’t get to regenerate their own tokens. (Editors with the enhanced editor role can read the members list.)\n\nYour Admin API keys in custom integrations can be regenerated from /ghost > settings > custom - click into each integration and regenerate.\n\nYou also need to regenerate your Zapier token - in /ghost > settings > integrations, click ‘configure’ next to zapier and regenerate the token. I’ve seen two reports of sites being compromised via Zapier token, specifically. I’m not _sure_ it’s from this vulnerability instead of a Zapier vulnerability/leak, but I’m suspicious.\n\n* * *\n\nThat’s all I know. Wanted to get it out there in case it helps someone. Even if key rolling sounds like too much to do today, please please please do yourself a favor and update to >= 6.19.1.\n\n(This is a crosspost with the Ghost forum: https://forum.ghost.org/t/if-you-are-on-ghost-6-19-1-you-really-need-to-update/62706 )\n\n* * *\n\nHey, before you go... If your finances allow you to keep this tea-drinking ghost and the freelancer behind her supplied with our hot beverage of choice, we'd both appreciate it!\n\nBuy me a tea ☕️",
"title": "If you are on less than Ghost 6.19.1, it's way past time to upgrade",
"updatedAt": "2026-04-25T14:33:39.110Z"
}