Home

Description

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. This vulnerability is fixed in 2.0.0-beta.2.

PUBLISHED Reserved 2026-04-29 | Published 2026-05-11 | Updated 2026-05-11 | Assigner GitHub_M




HIGH: 8.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Problem types

CWE-269: Improper Privilege Management

CWE-285: Improper Authorization

CWE-639: Authorization Bypass Through User-Controlled Key

CWE-837: Improper Enforcement of a Single, Unique Action

Product status

< 2.0.0-beta.2
affected

References

github.com/...v/grav/security/advisories/GHSA-rr73-568v-28f8

github.com/...ommit/5a12f9be8314682c8713e569e330f11805d0a663

github.com/...ommit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47

github.com/...ommit/d904efc33e03ebb597afde8d3368b28cf0423632

cve.org (CVE-2026-42609)

nvd.nist.gov (CVE-2026-42609)

Download JSON