CVE-2026-42610
Received Received - Intake
Information Disclosure in Grav CMS

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This vulnerability is fixed in 2.0.0-beta.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-42610
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
getgrav grav to 2.0.0-beta.2 (exc)
getgrav grav 1.8.0-beta.29
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42610 is a vulnerability in the Grav CMS platform prior to version 2.0.0-beta.2. It allows a low-privileged user, such as a Content Editor with limited permissions, to bypass Twig sandbox restrictions by exploiting the grav['accounts'] service.

This bypass enables the attacker to programmatically load administrative user objects and extract sensitive information, including Bcrypt password hashes and the system security salt.

The vulnerability persists even after previous security patches aimed at restricting sensitive object access within the Twig environment.

It was fixed in Grav CMS version 2.0.0-beta.2 by moving the security salt to a separate file inaccessible via web requests and restricting accounts service access in the Twig sandbox.

Compliance Impact

This vulnerability allows a low-privileged user to extract sensitive data such as Bcrypt password hashes and the system security salt from administrative user objects. Such unauthorized disclosure of sensitive authentication data could lead to offline brute-force or dictionary attacks, potentially compromising user accounts.

The exposure of sensitive user authentication information may impact compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive data against unauthorized access and disclosure.

By allowing attackers to bypass sandbox restrictions and access sensitive data, this vulnerability undermines the confidentiality requirements mandated by these standards, potentially leading to non-compliance and associated legal or regulatory consequences.

Impact Analysis

This vulnerability can lead to the disclosure of sensitive information such as administrative user password hashes and the system security salt.

An attacker with low privileges can extract this data and potentially perform offline brute-force or dictionary attacks on the password hashes to gain unauthorized access.

Although the vulnerability does not directly allow code execution or system compromise, the exposure of password hashes and security salts significantly increases the risk of credential compromise.

Detection Guidance

Detection of this vulnerability involves identifying attempts to exploit the Twig sandbox bypass to access the grav['accounts'] service and extract sensitive data.

Since the vulnerability allows a low-privileged user to inject Twig payloads in the Admin panel, monitoring for unusual or unauthorized Twig template executions or suspicious access patterns to administrative user objects is recommended.

Specific commands are not provided in the available resources, but general detection steps could include:

  • Review web server logs for suspicious POST or GET requests containing Twig payloads targeting the Admin panel.
  • Use grep or similar tools to search for access attempts to grav['accounts'] or unusual Twig expressions in logs or application data.
  • Monitor for unexpected access to sensitive files or data, such as Bcrypt password hashes or the security salt.

Example command to search logs for suspicious Twig payloads (adjust log path as needed):

  • grep -i "grav\['accounts'\]" /path/to/webserver/logs/access.log
  • grep -i "twig" /path/to/webserver/logs/access.log | grep -E "payload|inject"
Mitigation Strategies

The primary mitigation step is to upgrade Grav CMS to version 2.0.0-beta.2 or later, where this vulnerability has been fixed.

In version 2.0.0-beta.2, the security salt is moved to a separate file inaccessible via web requests, and access to the accounts service in the Twig sandbox is restricted.

Additional immediate steps include:

  • Restrict permissions of low-privileged users to prevent injection of Twig payloads.
  • Monitor and audit user activities in the Admin panel for suspicious behavior.
  • Apply any available patches or security updates provided by Grav CMS if upgrading immediately is not possible.

Implementing these steps will reduce the risk of sensitive data disclosure through this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42610. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart