Skip to main content

Grav CMS CVE-2026-44738

| EUVDEUVD-2026-29135 HIGH
Information Exposure (CWE-200)
2026-05-11 GitHub_M GHSA-j274-39qw-32c9
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
May 11, 2026 - 18:17 EUVD
Analysis Generated
May 11, 2026 - 16:45 vuln.today
CVE Published
May 11, 2026 - 15:47 nvd
HIGH 7.7

DescriptionGitHub Advisory

Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration - including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) - into the rendered HTML. No administrator privileges are required. This vulnerability is fixed in 2.0.0-rc.2.

AnalysisAI

Information disclosure in Grav CMS versions prior to 2.0.0-rc.2 allows authenticated users with admin.pages role to extract all site configuration secrets via Twig sandbox bypass. Attackers can invoke config.toArray() from page content to dump SMTP passwords, AWS keys, OAuth client secrets, and API tokens into rendered HTML. CVSS 7.7 (High) with confirmed scope change reflects cross-tenant impact in multi-admin environments. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis.

Technical ContextAI

Grav is a flat-file CMS using Twig templating with sandbox security controls to isolate user-supplied templates from sensitive runtime data. The vulnerability stems from an overly permissive Twig sandbox allow-list (CWE-200: Exposure of Sensitive Information) that fails to block method calls on the global config object. Users with admin.pages role - intended for content editing, not full system administration - can embed Twig expressions like {{ config.toArray() }} in page bodies. When processed, this method serializes the entire merged configuration tree, including environment variables, plugin credentials, and third-party service tokens, directly into the HTML response. The scope change (S:C in CVSS vector) indicates that secrets belonging to other administrative contexts or integrated services are exposed beyond the attacker's granted privileges. CPE cpe:2.3:a:getgrav:grav identifies the affected product as the Grav core platform itself, not a specific plugin.

RemediationAI

Upgrade to Grav CMS version 2.0.0-rc.2 or later, which implements stricter Twig sandbox controls to block config.toArray() and similar introspection methods from page content. The vendor-released patch is available via the GitHub security advisory at https://github.com/getgrav/grav/security/advisories/GHSA-j274-39qw-32c9. For environments unable to immediately upgrade to a release candidate, implement compensating controls: revoke admin.pages role from untrusted or external users and limit page editing to fully trusted administrators only (trade-off: reduces collaborative content workflows). Rotate all exposed secrets (SMTP passwords, API keys, OAuth tokens) found in config files after applying the patch, as any previously created page containing config.toArray() may have leaked credentials to server logs or cached HTML. Review HTTP access logs and page edit history for suspicious Twig expressions matching config method calls to identify potential exploitation. Note that disabling Twig processing globally breaks core Grav functionality and is not a viable mitigation.

More in Grav

View all
CVE-2025-66294 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists

CVE-2025-66301 CRITICAL POC
9.6 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical

CVE-2025-50286 HIGH POC
8.1 Aug 06

A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plug

CVE-2024-34082 CRITICAL POC
9.9 May 15

Grav is a file-based Web platform. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low a

CVE-2021-47812 CRITICAL POC
9.8 Jan 16

GravCMS 1.10.7 allows unauthenticated remote attackers to write arbitrary YAML configuration files, leading to full serv

CVE-2025-66297 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or e

CVE-2025-66299 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (S

CVE-2024-28119 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28118 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28117 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28116 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-27921 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

Share

CVE-2026-44738 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy