CVE-2026-42609
Received Received - Intake
Grav Admin Panel Account Overwrite Vulnerability

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. This vulnerability is fixed in 2.0.0-beta.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-42609
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getgrav grav to 2.0.0-beta.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-837 The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Grav CMS allows low-privileged users to overwrite existing administrative accounts, including the primary administrator, leading to privilege de-escalation and denial of service on administrative functions.

Such unauthorized privilege changes and denial of administrative access can undermine the security controls required by common standards and regulations like GDPR and HIPAA, which mandate strict access control and protection of sensitive data.

By enabling attackers to compromise administrative accounts, this vulnerability could lead to unauthorized access or disruption of systems that handle personal or protected health information, thereby potentially causing non-compliance with these regulations.

Executive Summary

CVE-2026-42609 is a business logic vulnerability in the Grav CMS platform prior to version 2.0.0-beta.2. It allows a low-privileged user who has only user creation permissions to overwrite existing user accounts, including the primary administrator account. This happens because when a new user is created with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the duplicate username.

This flaw leads to denial of service on administrative functions and privilege de-escalation of the root account, effectively locking out legitimate administrators.

Impact Analysis

This vulnerability can have serious impacts including denial of service (DoS) on administrative functions and privilege de-escalation of the root account. A low-privileged user can overwrite the primary administrator account, changing its permissions and metadata, which can lock out legitimate administrators from managing the system.

The CVSS score of 8.1 indicates a high impact on the integrity and availability of the system.

Detection Guidance

This vulnerability involves a business logic flaw in the Grav Admin Panel where a low-privileged user with user creation permissions can overwrite existing accounts by creating a new user with an existing username.

To detect if your system is vulnerable, you can check the version of Grav CMS you are running. Versions prior to 2.0.0-beta.2 are affected.

Additionally, you can audit user accounts for unexpected changes or overwritten administrative accounts, especially if there are users with duplicate usernames or altered permissions.

Since this is a logic vulnerability rather than a network-based exploit, detection commands would focus on verifying the Grav version and inspecting user data rather than network traffic.

  • Check Grav version: Run `bin/grav --version` or check the version in the admin panel or composer.json file.
  • Review user accounts in the Grav user directory (usually `user/accounts/`) for duplicate usernames or unexpected permission changes.
  • Audit Grav logs for suspicious user creation or modification activities.
Mitigation Strategies

The primary mitigation step is to upgrade Grav CMS to version 2.0.0-beta.2 or later, where this vulnerability has been fixed.

The fix includes strengthened uniqueness checks in the user management system to prevent overwriting existing accounts.

Until you can upgrade, restrict user creation permissions to trusted administrators only to prevent low-privileged users from exploiting this issue.

Also, review and restore any overwritten administrative accounts to ensure proper access control.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42609. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart