Description
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. This vulnerability is fixed in 2.0.0-beta.2.
Published: 2026-05-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from user overwrite logic in the Grav Admin Panel. A user granted only account‑creation permissions can replay a request using an existing username, causing the system to update that account’s metadata and permissions rather than rejecting it. The attacker thereby can overwrite the primary administrator, which results in denial of administrative functions and a downgrade of the root account’s privileges. The flaw is classified as a business‑logic flaw that permits unauthorized privilege modification.

Affected Systems

Getgrav Grav is affected; any installation running a version older than 2.0.0‑beta.2 is vulnerable. The problem was identified before the 2.0.0‑beta.2 release, which includes the fix. No other products or subsidiary versions are listed.

Risk and Exploitability

The CVSS base score of 8.1 indicates high severity, and the EPSS score is not available. The vulnerability is not listed in CISA KEV. The likely attack vector is a low‑privileged user with account‑creation rights within the same system who can interact with the Grav Admin Panel. Exploit requires no special network access beyond what a legitimate user already has, making the risk moderate to high for environments that allow untrusted user creation.

Generated by OpenCVE AI on May 11, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Grav to version 2.0.0‑beta.2 or later.
  • If immediate upgrade is not possible, remove account‑creation permissions from all non‑administrator roles to prevent overwriting existing users.
  • Temporarily disable or restrict access to the Grav Admin Panel until the issue is patched, and monitor logs for abnormal user‑creation attempts.

Generated by OpenCVE AI on May 11, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rr73-568v-28f8 Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
History

Tue, 12 May 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*
cpe:2.3:a:getgrav:grav:2.0.0:beta1:*:*:*:*:*:*

Mon, 11 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Getgrav
Getgrav grav
Vendors & Products Getgrav
Getgrav grav

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. This vulnerability is fixed in 2.0.0-beta.2.
Title Grav: Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic
Weaknesses CWE-269
CWE-285
CWE-639
CWE-837
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Getgrav Grav
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T15:03:38.296Z

Reserved: 2026-04-29T00:31:15.725Z

Link: CVE-2026-42609

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T16:17:33.610

Modified: 2026-05-12T16:16:54.790

Link: CVE-2026-42609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:00:15Z

Weaknesses