CVE-2026-61450
Received Received - Intake

Twig Sandbox Bypass in Grav CMS

Vulnerability report for CVE-2026-61450, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author (any admin.pages user, or anyone able to write to user/pages) to exfiltrate configuration secrets. Although the sandbox replaces the 'config' variable with a redacted facade and strips Config::get/toArray from the method allowlist, the raw container remains accessible via the allow-listed grav.offsetGet('config'), which returns the real Config object. Allow-listed object-dumping filters (json_encode, print_r, yaml_encode) then serialize that object at the PHP level without invoking the sandbox method gate, exposing the full config tree including plugin secrets such as SMTP credentials, API keys, and plugin DB credentials. This is an incomplete fix for GHSA-j274-39qw-32c9.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
getgrav grav to 2.0.2 (exc)
getgrav grav 2.0.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthorized exfiltration of sensitive configuration data, including secrets such as SMTP credentials, API keys, and database credentials.

Exposure of such sensitive information can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to and protection of confidential data.

Because the vulnerability enables attackers with relatively low privileges to access confidential configuration secrets, it increases the risk of data breaches and non-compliance with these regulations.

Executive Summary

CVE-2026-61450 is a vulnerability in Grav CMS versions before 2.0.2 that involves a bypass of the Twig sandbox security mechanism.

The vulnerability allows a page author or any user with write access to user/pages to exfiltrate sensitive configuration secrets.

Although the sandbox replaces the 'config' variable with a redacted facade and removes certain methods like Config::get and toArray from the allowed list, the raw container remains accessible via the allow-listed method grav.offsetGet('config'), which returns the real Config object.

Allow-listed object-dumping filters such as json_encode, print_r, and yaml_encode then serialize this object at the PHP level without invoking the sandbox method gate, exposing the full configuration tree including plugin secrets like SMTP credentials, API keys, and plugin database credentials.

This is an incomplete fix for a previously reported vulnerability (GHSA-j274-39qw-32c9).

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive configuration data.

Attackers with page author privileges or write access to user/pages can exfiltrate secrets such as SMTP credentials, API keys, and plugin database credentials.

Because the vulnerability allows bypassing the sandbox protections, it can expose the full configuration tree, potentially compromising the security of the entire Grav CMS installation.

The impact is primarily on confidentiality, with no requirement for user interaction and low privilege needed to exploit.

Detection Guidance

Detection of this vulnerability involves identifying if Grav CMS versions before 2.0.2 are in use and if the Twig sandbox bypass is exploitable by users with page author or write access to user/pages.

Specifically, detection can focus on attempts to use the allow-listed method grav.offsetGet('config') combined with object-dumping filters such as json_encode, print_r, or yaml_encode to serialize the configuration object.

While no explicit commands are provided in the resources, monitoring web server logs or application logs for suspicious Twig template usage involving grav.offsetGet('config') or unusual serialization calls could help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation involves removing the methods offsetGet and __get from the twig_sandbox.allowed_methods for Grav\Common\Grav in the system/config/security.yaml configuration file.

Additionally, restricting or disabling allow-listed object-dumping filters such as json_encode, print_r, and yaml_encode in sandboxed Twig environments can help prevent serialization of the raw Config object.

Upgrading Grav CMS to version 2.0.2 or later, where this vulnerability is fixed, is strongly recommended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61450. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart