Skip to main content

Grav CMS CVE-2026-42609

HIGH
Improper Privilege Management (CWE-269)
2026-05-05 https://github.com/getgrav/grav GHSA-rr73-568v-28f8
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 21:49 vuln.today
Analysis Generated
May 05, 2026 - 21:49 vuln.today

DescriptionGitHub Advisory

Summary

A business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account.

Details

The vulnerability stems from an insecure "Create or Update" logic within the user management module. When the admin-addon handles a user creation request, it does not strictly validate whether the username is already taken by a higher-privileged account. Instead of returning a "409 Conflict" or a validation error, the application logic proceeds to overwrite the existing user configuration file (e.g., user/accounts/root0.yaml) with the new, lower-privileged data provided by the attacker. Because the attacker cannot assign higher permissions to themselves (due to existing fixes), the result is that the targeted account (the original Admin/Root) has its access levels wiped or replaced by the attacker's input, effectively locking the real administrator out of the system.

PoC

  1. Log in as a Super User (e.g., root0) and create a low-privileged user (e.g., adminuser).
  2. Assign adminuser the following specific permissions:

admin.login admin.users.list admin.users.read admin.users.create

  1. Log out and log back in as adminuser.
  2. Navigate to User Accounts -> Add.
  3. Fill in the form with the following details:

Username: root0 (The exact username of the Super User) Email: anything@grav.f Fullname: Fake Root0

  1. Click Save.
  2. Observe that the account is successfully "created".
  3. The original administrative permissions are gone, and the account is now restricted.
PoC video

https://github.com/user-attachments/assets/047cb44e-0279-402b-b4fb-12bf5d427a5e

Impact

This is a Privilege De-escalation and Account Disruption vulnerability. Who is impacted: Any Grav installation where a non-admin user is granted permission to create other users. Consequence: An attacker can effectively disable all administrative accounts on the platform, leading to a complete loss of management control over the CMS.

---

Maintainer note - fix applied (2026-04-24)

Fixed in Grav core on the 2.0 branch: commit d904efc33 - will ship in 2.0.0-beta.2.

What changed: UserObject::save already had a uniqueness guard (commit 19c2f8da7, November 2025) that blocks the PoC. This release tightens that guard:

  1. strpos($key, '@@')str_contains($key, '@@'). The previous form was falsy when the transient-key marker was at position 0 (e.g. @@hash), silently bypassing the check. str_contains returns a proper boolean.
  2. The instanceof FileStorage gate was dropped so the uniqueness check runs for any FlexStorageInterface backend - not just the default file-per-user YAML one.

A low-privileged user with admin.users.create can no longer disrupt a super-admin account by submitting that admin's username through the "add user" form.

Files:

AnalysisAI

Grav CMS Admin Panel allows authenticated users with only user-creation permissions to overwrite administrator accounts by submitting the admin's username when creating a new user. The flawed create-or-update logic replaces the existing super-admin account metadata with attacker-supplied low-privilege data, locking the legitimate administrator out and causing complete loss of management control. Vendor-released patch: fixed in 2.0.0-beta.2 (commit d904efc33). Publicly available exploit code exists (video PoC published by Grav maintainers). EPSS data not provided, but the low attack complexity and confirmed PoC make exploitation straightforward for any low-privileged user with create-user rights.

Technical ContextAI

Grav is a PHP-based flat-file content management system. The vulnerability resides in the Flex user management module (UserObject::save in system/src/Grav/Common/Flex/Types/Users/UserObject.php). When processing user creation requests, the application incorrectly implements create-or-update semantics without validating username uniqueness against existing accounts. The original guard (commit 19c2f8da7, November 2025) checked for transient keys using strpos($key, '@@'), which returns 0 (falsy in boolean context) when the marker appears at position zero-thereby silently bypassing the check. The fix switches to str_contains for correct boolean semantics and removes the instanceof FileStorage gate so the uniqueness check applies to all FlexStorageInterface backends, not just YAML-file storage. This is a CWE-269 (Improper Privilege Management) vulnerability: the system grants an authenticated low-privileged user the ability to de-escalate higher-privileged accounts by exploiting weak business logic rather than gaining privileges themselves.

RemediationAI

Upgrade to Grav CMS 2.0.0-beta.2 or later, which ships commit d904efc33 fixing the username collision logic. Patch commits: d904efc33 (primary fix), 5a12f9be8 and c66dfeb5f (related hardening). Vendor advisory and patch details at https://github.com/getgrav/grav/security/advisories/GHSA-rr73-568v-28f8. If immediate upgrade is not feasible, revoke admin.users.create permission from all non-admin accounts as a compensating control-restrict user creation to super-admin roles only. This eliminates the attack vector but reduces operational flexibility in multi-admin environments; manual user provisioning by super-admins becomes required. Additional compensating control: implement file-integrity monitoring (FIM) on user/accounts/*.yaml files and alert on modifications by low-privilege sessions-this provides detection but does not prevent exploitation. Monitor admin panel access logs for user-creation events with duplicate usernames (HTTP 200 responses to POST /admin/user requests where username matches existing account). Note that file permissions alone are insufficient as the PHP process legitimately writes these files; the logic flaw must be fixed at the code layer. Three unit tests added in tests/unit/Grav/Common/Security/UserOverwriteSecurityTest.php validate the fix and can be run to confirm patch application.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-42609 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy