CVE-2026-42613
Unauthenticated Admin Privilege Escalation in Grav CMS
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getgrav | grav | to 2.0.0-beta.2 (exc) |
| getgrav | grav-plugin-login | to 3.8.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42613 is a critical vulnerability in the Grav CMS Login plugin before version 2.0.0-beta.2. The issue arises because the Login::register() method accepts attacker-controlled 'groups' and 'access' fields from the registration POST data without proper server-side validation.
When registration is enabled and these fields are included in the allowed fields list, an unauthenticated attacker can inject these fields during self-registration to gain super-admin privileges.
This happens because the validation method only checks common fields like username, password, and email, but ignores 'groups' and 'access', allowing malicious input to bypass security controls.
The vulnerability is fixed in version 2.0.0-beta.2 and later, where the registration handler explicitly strips privilege-related fields and logs warnings for injection attempts.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to escalate their privileges by registering themselves with super-admin rights.
With super-admin access, the attacker can fully control the admin panel, potentially leading to remote code execution and complete compromise of the Grav CMS site.
The attack requires no privileges, no user interaction, and can be executed remotely over the network, making it highly severe.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring registration POST requests for the presence of privilege-related fields such as 'groups' or 'access' being submitted by unauthenticated users.
Specifically, look for registration attempts where the POST data includes parameters like groups[]=admins or access[admin][super]=true, which indicate attempts to inject admin privileges.
You can use network monitoring tools or web server logs to search for such suspicious registration requests.
- Use command-line tools like grep to scan web server access logs for POST requests containing 'groups' or 'access' fields, for example:
- grep -i 'groups' /var/log/apache2/access.log
- grep -i 'access' /var/log/apache2/access.log
- Use tools like tcpdump or Wireshark to capture and analyze HTTP POST traffic to the registration endpoint, filtering for these fields.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Grav Login plugin to version 3.8.2 or later, where the vulnerability is fixed by stripping client-supplied privilege fields from registration forms and logging injection attempts.
If upgrading immediately is not possible, ensure that the registration feature is disabled or that the 'groups' and 'access' fields are not included in the allowed fields list for user registration.
Additionally, review your configuration to prevent privilege-related fields from being accepted during registration.
Monitor logs for any suspicious registration attempts that include privilege escalation fields and respond accordingly.