CVE-2026-42610
Information Disclosure in Grav CMS
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getgrav | grav | to 2.0.0-beta.2 (exc) |
| getgrav | grav | 1.8.0-beta.29 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42610 is a vulnerability in the Grav CMS platform prior to version 2.0.0-beta.2. It allows a low-privileged user, such as a Content Editor with limited permissions, to bypass Twig sandbox restrictions by exploiting the grav['accounts'] service.
This bypass enables the attacker to programmatically load administrative user objects and extract sensitive information, including Bcrypt password hashes and the system security salt.
The vulnerability persists even after previous security patches aimed at restricting sensitive object access within the Twig environment.
It was fixed in Grav CMS version 2.0.0-beta.2 by moving the security salt to a separate file inaccessible via web requests and restricting accounts service access in the Twig sandbox.
How can this vulnerability impact me? :
This vulnerability can lead to the disclosure of sensitive information such as administrative user password hashes and the system security salt.
An attacker with low privileges can extract this data and potentially perform offline brute-force or dictionary attacks on the password hashes to gain unauthorized access.
Although the vulnerability does not directly allow code execution or system compromise, the exposure of password hashes and security salts significantly increases the risk of credential compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying attempts to exploit the Twig sandbox bypass to access the grav['accounts'] service and extract sensitive data.
Since the vulnerability allows a low-privileged user to inject Twig payloads in the Admin panel, monitoring for unusual or unauthorized Twig template executions or suspicious access patterns to administrative user objects is recommended.
Specific commands are not provided in the available resources, but general detection steps could include:
- Review web server logs for suspicious POST or GET requests containing Twig payloads targeting the Admin panel.
- Use grep or similar tools to search for access attempts to grav['accounts'] or unusual Twig expressions in logs or application data.
- Monitor for unexpected access to sensitive files or data, such as Bcrypt password hashes or the security salt.
Example command to search logs for suspicious Twig payloads (adjust log path as needed):
- grep -i "grav\['accounts'\]" /path/to/webserver/logs/access.log
- grep -i "twig" /path/to/webserver/logs/access.log | grep -E "payload|inject"
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Grav CMS to version 2.0.0-beta.2 or later, where this vulnerability has been fixed.
In version 2.0.0-beta.2, the security salt is moved to a separate file inaccessible via web requests, and access to the accounts service in the Twig sandbox is restricted.
Additional immediate steps include:
- Restrict permissions of low-privileged users to prevent injection of Twig payloads.
- Monitor and audit user activities in the Admin panel for suspicious behavior.
- Apply any available patches or security updates provided by Grav CMS if upgrading immediately is not possible.
Implementing these steps will reduce the risk of sensitive data disclosure through this vulnerability.