CVE-2026-59190
Deferred Deferred - Pending Action

Authenticated Password Change in Grav Admin Plugin

Vulnerability report for CVE-2026-59190, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

grav-plugin-admin is an HTML user interface that provides a way to configure Grav and create and modify pages. In 1.10.52 and earlier, an authenticated attacker with admin.users permission can change the password of any user account, including the super administrator, by sending a direct POST request to /admin/user/{username}?task=save with data[password] because saveUser authorizes the caller's user-management permission but does not verify whether the caller may edit the target user. This issue is expected to be fixed in version 1.10.53.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
rockettheme grav-plugin-admin to 1.10.52 (inc)
rockettheme grav-plugin-admin 1.10.53
getgrav grav_plugin_admin to 1.10.53 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59190 is a high-severity Insecure Direct Object Reference (IDOR) vulnerability in the Grav Admin Plugin.

An authenticated attacker with the admin.users permission can change the password of any user account, including the super administrator, by sending a crafted POST request to /admin/user/{username}?task=save with a new password in the data[password] field.

The vulnerability exists because the saveUser() method does not verify whether the caller is authorized to edit the target user account and only checks if the user has admin.users or admin.super permissions.

This allows any user with admin.users permission to modify any account, including super administrator accounts, without requiring the current password or rate limiting.

Impact Analysis

This vulnerability can lead to complete control over the Grav instance by an attacker.

An attacker can take over any user account, including the super administrator, by changing passwords without authorization.

With full control, the attacker can execute arbitrary code via Twig templates, potentially compromising the entire system.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /admin/user/{username}?task=save that include the data[password] field. Such requests indicate attempts to change user passwords without proper authorization.

You can use network monitoring tools or web server logs to identify these requests. For example, using command-line tools like curl or grep on server logs to find POST requests targeting this endpoint with password data.

  • Check web server access logs for POST requests to /admin/user/*?task=save containing data[password]: grep 'POST /admin/user/' /var/log/apache2/access.log | grep 'task=save' | grep 'data[password]'
  • Use a network packet capture tool like tcpdump or Wireshark to filter HTTP POST requests to /admin/user/*?task=save.
  • Run a curl command to test if password changes are possible without proper authorization (only in a controlled environment): curl -X POST -d 'data[password]=newpassword' -b 'auth_cookie=your_auth_cookie' https://yourgravsite/admin/user/targetusername?task=save
Mitigation Strategies

The immediate mitigation step is to upgrade the Grav Admin plugin to version 1.10.53.1 or later, where the vulnerability has been fixed by adding proper permission checks to prevent non-super admin users from changing super administrator passwords.

Until the update can be applied, restrict access to the admin interface to trusted users only and monitor for suspicious password change attempts.

  • Upgrade the grav-plugin-admin to version 1.10.53.1 or later.
  • Limit admin.users permission to only fully trusted users.
  • Monitor and audit logs for unauthorized password change attempts.
  • Consider temporarily disabling the admin interface or restricting access via firewall rules if immediate patching is not possible.
Compliance Impact

This vulnerability allows an authenticated attacker with limited permissions to escalate privileges by changing the password of any user account, including the super administrator, without proper authorization checks.

Such unauthorized access and control over user accounts can lead to data breaches, unauthorized data modification, and loss of system integrity.

Consequently, this could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

Failure to prevent unauthorized privilege escalation and account takeover may expose organizations to regulatory penalties and reputational damage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59190. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart