CVE-2026-62230
Received Received - Intake

Grav Unauthenticated File Read via Case-Sensitive Bypass

Vulnerability report for CVE-2026-62230, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

Grav before 2.0.4 ships a default .htaccess (and reference webserver-configs/htaccess.txt) whose rules blocking access to sensitive file types (.yaml, .php, .json, etc.) lack the [NC] flag, making extension matching case-sensitive. On case-insensitive filesystems (Windows/NTFS, macOS/HFS+, or Docker volume mounts), an unauthenticated attacker can request these files with uppercase or mixed-case extensions (e.g., .YAML, .PHP) to bypass the restrictions and read sensitive configuration files that may contain API keys and credentials.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
grav grav to 2.0.4 (exc)
getgrav grav to 2.0.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Grav, a content management system, before version 2.0.4. The default .htaccess file blocks access to sensitive files like .yaml, .php, and .json but lacks the [NC] flag, making extension matching case-sensitive. On case-insensitive filesystems (Windows/NTFS, macOS/HFS+, Docker volumes), attackers can bypass restrictions by using uppercase or mixed-case extensions (e.g., .YAML, .PHP) to read sensitive files containing credentials or API keys.

Detection Guidance

Check Grav version with 'bin/grav version' or inspect .htaccess files for missing [NC] flags in rules blocking sensitive extensions. Test access to files with mixed-case extensions like .YAML, .PHP, or .JSON on case-insensitive filesystems.

Impact Analysis

An unauthenticated attacker could access sensitive configuration files, including those containing API keys, credentials, or other confidential data. This could lead to unauthorized system access, data breaches, or further exploitation of the affected Grav installation.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, potentially violating GDPR (data protection) and HIPAA (health information privacy) requirements. Exposure of credentials or API keys may result in non-compliance with security and privacy controls mandated by these regulations.

Mitigation Strategies

Upgrade Grav to version 2.0.4 or later. Add the [NC] flag to .htaccess rules blocking sensitive extensions. Verify filesystem case sensitivity and restrict access to configuration files.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62230. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart