CVE-2026-44738
Information Disclosure in Grav CMS via Twig Sandbox Bypass
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grav | grav | to 2.0.0-rc.2 (inc) |
| getgrav | grav | to 2.0.0-rc.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44738 is a vulnerability in Grav CMS versions up to 2.0.0-rc.1 where users with the admin.pages role (editor role) can exploit the Twig sandbox allow-list to call the config.toArray() method from within a page body.
This method dumps the entire merged site configuration, including all plugin secrets such as SMTP passwords, AWS keys, OAuth client secrets, and API tokens, into the rendered HTML output.
No administrator privileges are required to perform this attack, making it possible for editors to exfiltrate sensitive credentials by creating a page with a crafted payload.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of highly sensitive information such as SMTP passwords, AWS keys, OAuth secrets, and API tokens.
An attacker with editor-level access can extract these secrets by injecting a payload into a page, which then renders the secrets in the HTML output accessible to anyone viewing the page.
The impact includes potential unauthorized access to email systems, cloud services, third-party APIs, and other integrated services, which can lead to data breaches, service disruptions, and further compromise of the affected environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of pages created or modified by users with the admin.pages role that contain payloads invoking the config.toArray() method within the Twig sandbox. Such pages will render the entire site configuration, including sensitive plugin secrets, in the HTML output.
To detect exploitation attempts, you can monitor HTTP responses for unusually large HTML content containing configuration data or secrets.
Suggested commands include:
- Using grep or similar tools to search page content files for 'config.toArray()' or suspicious Twig payloads.
- Using curl or wget to fetch rendered pages and inspecting the HTML output for leaked configuration data.
- Monitoring web server logs for requests to pages created by users with the admin.pages role that might contain the exploit payload.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Grav CMS to version 2.0.0-rc.2 or later, where this vulnerability is fixed.
Additionally, restrict or audit the permissions of users with the admin.pages role to prevent unauthorized creation or modification of pages that could exploit this vulnerability.
Review existing pages for any suspicious payloads that invoke config.toArray() and remove them.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows users with the editor role to exfiltrate sensitive credentials such as SMTP passwords, AWS keys, OAuth secrets, and API tokens by dumping the entire site configuration into rendered HTML. Such exposure of sensitive data can lead to unauthorized access and data breaches.
The compromise of sensitive credentials and potential unauthorized access to protected data can result in non-compliance with common standards and regulations like GDPR and HIPAA, which mandate strict controls over the confidentiality and security of personal and sensitive information.