Description
Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration — including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) — into the rendered HTML. No administrator privileges are required. This vulnerability is fixed in 2.0.0-rc.2.
Published: 2026-05-11
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Grav versions prior to 2.0.0-rc.2, the Twig sandbox allow‑list permits any editor‑role user (admin.pages) to invoke Config::toArray() within a page body. This call returns the entire merged site configuration, exposing plugin secrets such as SMTP passwords, AWS keys, OAuth client secrets, and API tokens directly in the rendered HTML. The vulnerability allows an attacker to exfiltrate highly sensitive data without requiring administrator privileges, thereby compromising confidentiality.

Affected Systems

All installations of getgrav:grav older than 2.0.0‑rc.2 are affected. Administrators who have granted the admin.pages role to editors or other users can exploit this flaw. The issue is resolved in version 2.0.0‑rc.2 and later.

Risk and Exploitability

The CVSS score is 7.7, indicating a high risk to confidentiality. EPSS is not available, so exploitation probability cannot be quantified, but the lack of an administrator requirement and the accessibility from any editor role suggest a realistic threat. The vulnerability is not listed in CISA KEV, yet the exposure of credentials can lead to significant downstream impacts if the plugin secrets are compromised.

Generated by OpenCVE AI on May 11, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Grav 2.0.0‑rc.2 or later, which removes the insecure sandbox allow‑list
  • Revoke the admin.pages role from users who do not need to edit content, limiting their ability to call Config::toArray()
  • If an immediate upgrade is not possible, disable or tightly restrict the use of Config::toArray() in page templates and consider externalizing sensitive configuration values to a secure vault or environment variables

Generated by OpenCVE AI on May 11, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Getgrav
Getgrav grav
Vendors & Products Getgrav
Getgrav grav

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration — including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) — into the rendered HTML. No administrator privileges are required. This vulnerability is fixed in 2.0.0-rc.2.
Title Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Getgrav Grav
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T15:47:46.778Z

Reserved: 2026-05-07T18:04:17.310Z

Link: CVE-2026-44738

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T17:16:34.747

Modified: 2026-05-11T17:16:34.747

Link: CVE-2026-44738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:45:26Z

Weaknesses