CVE-2026-42609
Grav Admin Panel Account Overwrite Vulnerability
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getgrav | grav | to 2.0.0-beta.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-837 | The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42609 is a business logic vulnerability in the Grav CMS platform prior to version 2.0.0-beta.2. It allows a low-privileged user who has only user creation permissions to overwrite existing user accounts, including the primary administrator account. This happens because when a new user is created with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the duplicate username.
This flaw leads to denial of service on administrative functions and privilege de-escalation of the root account, effectively locking out legitimate administrators.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including denial of service (DoS) on administrative functions and privilege de-escalation of the root account. A low-privileged user can overwrite the primary administrator account, changing its permissions and metadata, which can lock out legitimate administrators from managing the system.
The CVSS score of 8.1 indicates a high impact on the integrity and availability of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a business logic flaw in the Grav Admin Panel where a low-privileged user with user creation permissions can overwrite existing accounts by creating a new user with an existing username.
To detect if your system is vulnerable, you can check the version of Grav CMS you are running. Versions prior to 2.0.0-beta.2 are affected.
Additionally, you can audit user accounts for unexpected changes or overwritten administrative accounts, especially if there are users with duplicate usernames or altered permissions.
Since this is a logic vulnerability rather than a network-based exploit, detection commands would focus on verifying the Grav version and inspecting user data rather than network traffic.
- Check Grav version: Run `bin/grav --version` or check the version in the admin panel or composer.json file.
- Review user accounts in the Grav user directory (usually `user/accounts/`) for duplicate usernames or unexpected permission changes.
- Audit Grav logs for suspicious user creation or modification activities.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Grav CMS to version 2.0.0-beta.2 or later, where this vulnerability has been fixed.
The fix includes strengthened uniqueness checks in the user management system to prevent overwriting existing accounts.
Until you can upgrade, restrict user creation permissions to trusted administrators only to prevent low-privileged users from exploiting this issue.
Also, review and restore any overwritten administrative accounts to ensure proper access control.