Description
Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration — including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) — into the rendered HTML. No administrator privileges are required. This vulnerability is fixed in 2.0.0-rc.2.
Published: 2026-05-11
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Grav versions prior to 2.0.0-rc.2, the Twig sandbox allow‑list permits any editor‑role user (admin.pages) to invoke Config::toArray() within a page body. This call returns the entire merged site configuration, exposing plugin secrets such as SMTP passwords, AWS keys, OAuth client secrets, and API tokens directly in the rendered HTML. The vulnerability allows an attacker to exfiltrate highly sensitive data without requiring administrator privileges, thereby compromising confidentiality.

Affected Systems

All installations of getgrav:grav older than 2.0.0‑rc.2 are affected. Administrators who have granted the admin.pages role to editors or other users can exploit this flaw. The issue is resolved in version 2.0.0‑rc.2 and later.

Risk and Exploitability

The CVSS score is 7.7, indicating a high risk to confidentiality. EPSS is reported as less than 1%, implying a very low probability of exploitation, but the lack of an administrator requirement and the accessibility from any editor role suggest a realistic threat. The vulnerability is not listed in CISA KEV, yet the exposure of credentials can lead to significant downstream impacts if the plugin secrets are compromised.

Generated by OpenCVE AI on May 13, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Grav 2.0.0‑rc.2 or later, which removes the insecure sandbox allow‑list
  • Revoke the admin.pages role from users who do not need to edit content, limiting their ability to call Config::toArray()
  • If an immediate upgrade is not possible, disable or tightly restrict the use of Config::toArray() in page templates and consider externalizing sensitive configuration values to a secure vault or environment variables

Generated by OpenCVE AI on May 13, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j274-39qw-32c9 Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()
History

Thu, 14 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*
cpe:2.3:a:getgrav:grav:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:getgrav:grav:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:getgrav:grav:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:getgrav:grav:2.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:getgrav:grav:2.0.0:rc1:*:*:*:*:*:*

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Getgrav
Getgrav grav
Vendors & Products Getgrav
Getgrav grav

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration — including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) — into the rendered HTML. No administrator privileges are required. This vulnerability is fixed in 2.0.0-rc.2.
Title Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Getgrav Grav
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:06:17.679Z

Reserved: 2026-05-07T18:04:17.310Z

Link: CVE-2026-44738

cve-icon Vulnrichment

Updated: 2026-05-14T18:03:19.535Z

cve-icon NVD

Status : Modified

Published: 2026-05-11T17:16:34.747

Modified: 2026-05-14T18:16:50.440

Link: CVE-2026-44738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T21:15:04Z

Weaknesses