CVE-2026-55885
Deferred Deferred - Pending Action

Authenticated Admin Backup File Disclosure in Grav

Vulnerability report for CVE-2026-55885, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Grav is a file-based Web platform. Prior to 1.7.53, an authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including user/accounts/admin.yaml with the administrator password hash and user/config with site configuration, through the backup download endpoint protected only by the session-static admin-nonce URL parameter. This issue is reported as fixed in version 1.7.53.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
grav grav to 1.7.53 (exc)
getgrav grav to 1.7.53 (exc)
getgrav grav 1.7.53

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55885 is a vulnerability in the Grav CMS platform versions prior to 1.7.53. It allows an authenticated administrator with backup permissions to download a ZIP archive containing the entire Grav installation root.

This archive includes sensitive files such as user/accounts/admin.yaml, which stores the administrator's bcrypt password hash and email, and user/config/, which contains site configuration secrets.

The backup download endpoint is protected only by a session-static admin-nonce URL parameter, lacking additional CSRF protection or session-specific validation.

An attacker who obtains this admin-nonce (for example, through Referrer leakage, cross-site scripting, or browser history inspection) can craft a single GET request to trigger the backup download, exfiltrating sensitive data.

This vulnerability involves three main components: the backup archive scope capturing the full Grav root, the backup download handler embedding the server's full filesystem path in a Base64-encoded URL, and permissive nonce validation that only checks for the static admin-nonce without enforcing form-level CSRF tokens.

Impact Analysis

This vulnerability can have significant impacts including unauthorized disclosure of sensitive information.

  • Exposure of administrator credentials, including password hashes, which can be cracked offline to enable account takeover.
  • Disclosure of site configuration secrets that could be used to further compromise the system.
  • Potential for downstream attacks such as path traversal or local file inclusion (LFI) due to exposed server paths.

Overall, the vulnerability poses a high confidentiality risk and can lead to unauthorized administrative access and further exploitation.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious GET requests to the backup download endpoint that include the session-static admin-nonce parameter in the URL. Since the backup download endpoint allows an authenticated administrator with backup permissions to download a ZIP archive of the full Grav installation, unusual access patterns or downloads of large ZIP files containing sensitive configuration files may indicate exploitation attempts.

To detect such activity on your system or network, you can inspect web server logs for requests matching the backup download endpoint URL pattern with the admin-nonce parameter.

  • Use grep or similar tools to search for URLs containing the admin-nonce parameter in your web server access logs, for example: grep 'admin-nonce' /var/log/nginx/access.log
  • Monitor for large ZIP file downloads from the backup endpoint by checking file access logs or network traffic.
  • Use network monitoring tools to detect unusual GET requests with the admin-nonce parameter.
Mitigation Strategies

The immediate mitigation step is to upgrade Grav CMS to version 1.7.53 or later, where this vulnerability is fixed.

Until the upgrade can be performed, restrict access to the backup download endpoint to trusted administrators only and monitor for suspicious activity involving the admin-nonce parameter.

Additionally, consider invalidating existing admin-nonce tokens and enforcing stricter CSRF protections or session validations to prevent unauthorized use of the backup download endpoint.

Compliance Impact

This vulnerability allows an authenticated administrator with backup permissions to download a ZIP archive containing sensitive information such as administrator password hashes and site configuration secrets. Exposure of such sensitive data can lead to unauthorized access and potential data breaches.

The leakage of administrator credentials and configuration secrets could result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data. Unauthorized access enabled by this vulnerability may lead to non-compliance with these standards due to inadequate protection of confidential information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55885. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart