CVE-2026-62230
Received
Received - Intake
Grav Unauthenticated File Read via Case-Sensitive Bypass
Vulnerability report for CVE-2026-62230, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-17
Last updated on: 2026-07-17
Assigner: VulnCheck
Description
Description
Grav before 2.0.4 ships a default .htaccess (and reference webserver-configs/htaccess.txt) whose rules blocking access to sensitive file types (.yaml, .php, .json, etc.) lack the [NC] flag, making extension matching case-sensitive. On case-insensitive filesystems (Windows/NTFS, macOS/HFS+, or Docker volume mounts), an unauthenticated attacker can request these files with uppercase or mixed-case extensions (e.g., .YAML, .PHP) to bypass the restrictions and read sensitive configuration files that may contain API keys and credentials.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grav | grav | to 2.0.4 (exc) |
| getgrav | grav | to 2.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-178 | The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. |