Description
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This vulnerability is fixed in 2.0.0-beta.2.
Published: 2026-05-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Grav, a file-based web platform, has an access control flaw that allows a low‑privileged user with only page‑update rights to bypass the Twig sandbox by calling the grav['accounts'] service. By doing so, an attacker can load administrative user objects and pull out sensitive data such as Bcrypt password hashes and the security salt. The vulnerability is a CWE‑863 type weakness, resulting in the potential compromise of authentication data and enabling credential theft.

Affected Systems

This issue affects all installations of Grav prior to version 2.0.0‑beta.2. Users running the vulnerable versions should verify their current release and ensure they are not using an older release that includes the bug.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an authenticated web request or API call made by a user with page‑update permissions. The attack requires the attacker to have valid credentials and a role that includes the ability to update pages; from there they can craft a request to the accounts service and obtain restricted data.

Generated by OpenCVE AI on May 11, 2026 at 17:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Grav to version 2.0.0‑beta.2 or later.
  • Ensure only administrators have access to the grav['accounts'] service; reduce or remove pages.update rights from non‑admin users.
  • Monitor authentication logs for suspicious activity and enforce stricter role separation around sensitive user data.

Generated by OpenCVE AI on May 11, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3f29-pqwf-v4j4 Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass
History

Tue, 12 May 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*
cpe:2.3:a:getgrav:grav:2.0.0:beta1:*:*:*:*:*:*

Mon, 11 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Getgrav
Getgrav grav
Vendors & Products Getgrav
Getgrav grav

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This vulnerability is fixed in 2.0.0-beta.2.
Title Grav: Sensitive Information Disclosure via Accounts Service Bypass
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Getgrav Grav
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T15:50:03.339Z

Reserved: 2026-04-29T00:31:15.726Z

Link: CVE-2026-42610

cve-icon Vulnrichment

Updated: 2026-05-11T15:49:40.974Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T16:17:33.957

Modified: 2026-05-12T16:16:49.410

Link: CVE-2026-42610

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:15:40Z

Weaknesses