Grav CMS CVE-2026-42609
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
A business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account.
Details
The vulnerability stems from an insecure "Create or Update" logic within the user management module. When the admin-addon handles a user creation request, it does not strictly validate whether the username is already taken by a higher-privileged account. Instead of returning a "409 Conflict" or a validation error, the application logic proceeds to overwrite the existing user configuration file (e.g., user/accounts/root0.yaml) with the new, lower-privileged data provided by the attacker. Because the attacker cannot assign higher permissions to themselves (due to existing fixes), the result is that the targeted account (the original Admin/Root) has its access levels wiped or replaced by the attacker's input, effectively locking the real administrator out of the system.
PoC
- Log in as a Super User (e.g., root0) and create a low-privileged user (e.g., adminuser).
- Assign adminuser the following specific permissions:
admin.login admin.users.list admin.users.read admin.users.create
- Log out and log back in as adminuser.
- Navigate to User Accounts -> Add.
- Fill in the form with the following details:
Username: root0 (The exact username of the Super User) Email: anything@grav.f Fullname: Fake Root0
- Click Save.
- Observe that the account is successfully "created".
- The original administrative permissions are gone, and the account is now restricted.
PoC video
https://github.com/user-attachments/assets/047cb44e-0279-402b-b4fb-12bf5d427a5e
Impact
This is a Privilege De-escalation and Account Disruption vulnerability. Who is impacted: Any Grav installation where a non-admin user is granted permission to create other users. Consequence: An attacker can effectively disable all administrative accounts on the platform, leading to a complete loss of management control over the CMS.
---
Maintainer note - fix applied (2026-04-24)
Fixed in Grav core on the 2.0 branch: commit d904efc33 - will ship in 2.0.0-beta.2.
What changed: UserObject::save already had a uniqueness guard (commit 19c2f8da7, November 2025) that blocks the PoC. This release tightens that guard:
strpos($key, '@@')→str_contains($key, '@@'). The previous form was falsy when the transient-key marker was at position 0 (e.g.@@hash), silently bypassing the check.str_containsreturns a proper boolean.- The
instanceof FileStoragegate was dropped so the uniqueness check runs for anyFlexStorageInterfacebackend - not just the default file-per-user YAML one.
A low-privileged user with admin.users.create can no longer disrupt a super-admin account by submitting that admin's username through the "add user" form.
Files:
system/src/Grav/Common/Flex/Types/Users/UserObject.php.tests/unit/Grav/Common/Security/UserOverwriteSecurityTest.php- 3 tests pinning the PoC, the@@-prefix edge case, and pass-through for free usernames.
AnalysisAI
Grav CMS Admin Panel allows authenticated users with only user-creation permissions to overwrite administrator accounts by submitting the admin's username when creating a new user. The flawed create-or-update logic replaces the existing super-admin account metadata with attacker-supplied low-privilege data, locking the legitimate administrator out and causing complete loss of management control. Vendor-released patch: fixed in 2.0.0-beta.2 (commit d904efc33). Publicly available exploit code exists (video PoC published by Grav maintainers). EPSS data not provided, but the low attack complexity and confirmed PoC make exploitation straightforward for any low-privileged user with create-user rights.
Technical ContextAI
Grav is a PHP-based flat-file content management system. The vulnerability resides in the Flex user management module (UserObject::save in system/src/Grav/Common/Flex/Types/Users/UserObject.php). When processing user creation requests, the application incorrectly implements create-or-update semantics without validating username uniqueness against existing accounts. The original guard (commit 19c2f8da7, November 2025) checked for transient keys using strpos($key, '@@'), which returns 0 (falsy in boolean context) when the marker appears at position zero-thereby silently bypassing the check. The fix switches to str_contains for correct boolean semantics and removes the instanceof FileStorage gate so the uniqueness check applies to all FlexStorageInterface backends, not just YAML-file storage. This is a CWE-269 (Improper Privilege Management) vulnerability: the system grants an authenticated low-privileged user the ability to de-escalate higher-privileged accounts by exploiting weak business logic rather than gaining privileges themselves.
RemediationAI
Upgrade to Grav CMS 2.0.0-beta.2 or later, which ships commit d904efc33 fixing the username collision logic. Patch commits: d904efc33 (primary fix), 5a12f9be8 and c66dfeb5f (related hardening). Vendor advisory and patch details at https://github.com/getgrav/grav/security/advisories/GHSA-rr73-568v-28f8. If immediate upgrade is not feasible, revoke admin.users.create permission from all non-admin accounts as a compensating control-restrict user creation to super-admin roles only. This eliminates the attack vector but reduces operational flexibility in multi-admin environments; manual user provisioning by super-admins becomes required. Additional compensating control: implement file-integrity monitoring (FIM) on user/accounts/*.yaml files and alert on modifications by low-privilege sessions-this provides detection but does not prevent exploitation. Monitor admin panel access logs for user-creation events with duplicate usernames (HTTP 200 responses to POST /admin/user requests where username matches existing account). Note that file permissions alone are insufficient as the PHP process legitimately writes these files; the logic flaw must be fixed at the code layer. Three unit tests added in tests/unit/Grav/Common/Security/UserOverwriteSecurityTest.php validate the fix and can be run to confirm patch application.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-rr73-568v-28f8