CVE-2026-42613 - Vulnerability Details

Description

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are included in the configured allowed fields list, an unauthenticated user can self-register with admin.super privileges by injecting these fields into the registration request. This vulnerability is fixed in 2.0.0-beta.2.

Published: 2026-05-11

Score: 9.4 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs in the Grav Login plugin before version 2.0.0‑beta.2. The register() method accepts groups and access values from the registration POST request without server‑side validation, enabling an attacker to inject admin.super privileges during self‑registration. As a result, an unauthenticated user can create an account that already has super‑administrator rights, providing a complete privilege escalation. The flaw is a classic input validation and authorization failure (CWE‑20 and CWE‑862).

Affected Systems

The issue impacts Grav CMS, the file‑based web platform, in all releases prior to 2.0.0‑beta.2. It affects the Login plugin component in those versions. Any Grav instance that has user registration enabled and lists groups or access in the allowed fields configuration is vulnerable.

Risk and Exploitability

The CVSS score is 9.4, marking the flaw as critical. The vulnerability is remotely exploitable by sending an unauthenticated HTTP POST to the registration endpoint, provided that registration is enabled and the application permits groups or access fields in the registration form. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog, yet the combination of lack of validation and potential for granting admin privileges makes it a high‑risk exposure.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

getgrav

grav

affected

Version	Status	Constraints
`< 2.0.0-beta.2`	affected	—

No data.

Vendor Product Confidence Versions

Getgrav

Grav

100%

Version	Status	Scheme	Platform
`[0,2.0.0-beta.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Grav to version 2.0.0‑beta.2 or later, which includes the missing validation and input sanitization.
If an upgrade cannot be performed immediately, disable user registration or remove the groups and access fields from the allowed fields list in the plugin configuration, ensuring those values cannot be supplied during registration.
Audit existing user memberships and revoke admin.super privileges from accounts that should not possess them, limiting super rights to explicitly authorized users.

Generated by OpenCVE AI on May 11, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-pxm6-mhxr-q4mj	Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/getgrav/grav-plugin-login/commit/3d419a0dabd70aed1fd49afcd5919004a4141da1
https://github.com/getgrav/grav/security/advisories/GHSA-pxm6-mhxr-q4mj

History

Mon, 11 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Getgrav Getgrav grav
Vendors & Products		Getgrav Getgrav grav

Mon, 11 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are included in the configured allowed fields list, an unauthenticated user can self-register with admin.super privileges by injecting these fields into the registration request. This vulnerability is fixed in 2.0.0-beta.2.
Title		Grav: Privilege Escalation via Missing Server-Side Validation of groups/access
Weaknesses		CWE-20 CWE-862
References		https://github.com/getgrav/grav-plugin-login/commit/3d419a0dabd70aed1fd49afcd5919004a4141da1 https://github.com/getgrav/grav/security/advisories/GHSA-pxm6-mhxr-q4mj
Metrics		cvssV3_1 `{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}`

Subscriptions

Getgrav Grav

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-11T15:24:19.238Z

Updated: 2026-05-11T15:24:19.238Z

Reserved: 2026-04-29T00:31:15.726Z

Link: CVE-2026-42613

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-11T16:17:34.497

Modified: 2026-05-11T16:17:34.497

Link: CVE-2026-42613

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-11T17:30:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object