Description
Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full administrative compromise of the Grav API. This vulnerability is fixed in API 1.0.0-beta.17.
Published: 2026-05-12
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A low‑privileged authenticated API user possessing the api.media.write capability can misuse the /api/v1/blueprint-upload endpoint to write an arbitrary YAML file into the user/accounts/ directory of Grav 2.0.0‑beta.2. By creating a file that defines a new account with api.super privileges, the attacker can log in as a super‑admin, gaining full control over the Grav API. The weakness is rooted in improper authorization (CWE‑269) and insecure file handling (CWE‑434).

Affected Systems

This flaw affects all installations of Grav running version 2.0.0‑beta.2 or earlier that expose the blueprint‑upload API. The issue is fixed in Grav API 1.0.0‑beta.17 and later releases. Users of the getgrav:grav product should verify the installed API version and apply the patch if needed.

Risk and Exploitability

The CVSS score of 8.7 classifies the vulnerability as high severity. While an EPSS score is not available, the existence of a documented exploitation path and the absence of a KEV listing suggest that the flaw can be reasonably exploited over the network by any authenticated user with api.media.write rights. Attackers can remotely upload a crafted file through HTTP, making the vulnerability likely exploitable without additional preconditions.

Generated by OpenCVE AI on May 13, 2026 at 00:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Grav API 1.0.0‑beta.17 or newer to apply the patch.
  • Restrict or disable the /api/v1/blueprint-upload endpoint for users without full administrative privileges.
  • Revoke the api.media.write permission from low‑privileged roles and review role assignments to ensure only trusted users can upload media.

Generated by OpenCVE AI on May 13, 2026 at 00:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6xx2-m8wv-756h Low-privileged Grav API users can create super-admin accounts via blueprint-upload
History

Wed, 13 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Getgrav
Getgrav grav
Vendors & Products Getgrav
Getgrav grav

Tue, 12 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full administrative compromise of the Grav API. This vulnerability is fixed in API 1.0.0-beta.17.
Title Grav: Low-privileged API users can create super-admin accounts via blueprint-upload
Weaknesses CWE-269
CWE-434
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Getgrav Grav
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T21:43:18.259Z

Reserved: 2026-04-30T16:44:48.376Z

Link: CVE-2026-42844

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:34.793

Modified: 2026-05-12T22:16:34.793

Link: CVE-2026-42844

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:15:27Z

Weaknesses