Home

Description

The Grav Admin2 plugin (getgrav/grav-plugin-admin2) before 2.0.4 embeds a global JavaScript variable window.__GRAV_CONFIG__ in the Admin2 SPA bootstrap page at /grav/admin (and its subroutes). This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base path, runtime environment type, and exact Grav and Admin2 version numbers, allowing an unauthenticated attacker to fingerprint the deployment and select version-specific exploits without reconnaissance.

PUBLISHED Reserved 2026-07-09 | Published 2026-07-11 | Updated 2026-07-13 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status
unaffected

Any version before 2.0.4
affected

2.0.4 (semver)
unaffected

Credits

nicl4ssic reporter

References

github.com/...v/grav/security/advisories/GHSA-pfjq-chp8-3vgh exploit

github.com/...v/grav/security/advisories/GHSA-pfjq-chp8-3vgh (GitHub Security Advisory (GHSA-pfjq-chp8-3vgh)) vendor-advisory

www.vulncheck.com/...-information-disclosure-via-grav-config (VulnCheck Advisory: Grav before 2.0.4 Information Disclosure via __GRAV_CONFIG__) third-party-advisory

cve.org (CVE-2026-61454)

nvd.nist.gov (CVE-2026-61454)

Download JSON