CVE-2026-62232
Received Received - Intake

Two-Factor Authentication Bypass in Grav CMS

Vulnerability report for CVE-2026-62232, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

Grav before 2.0.4 contains a two-factor authentication bypass vulnerability in the login plugin where the regenerate2FASecret task checks only user existence, not authorization, during the pending TOTP challenge window. Attackers who know the victim's password can call this task without a CSRF nonce to overwrite the 2FA secret with an attacker-chosen value, compute a valid TOTP code, and complete authentication while reducing 2FA to password-only protection.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
grav login_plugin to 2.0.4 (exc)
getgrav grav to 2.0.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-62232 is a two-factor authentication bypass in Grav CMS versions 2.0.3 and earlier. It allows attackers who know a victim's password to bypass 2FA by exploiting improper secret rotation during the pending TOTP challenge window. The attacker calls the regenerate2FASecret task without proper authorization, overwriting the victim's 2FA secret with an attacker-controlled value. This lets them compute valid TOTP codes and complete authentication, reducing 2FA to password-only protection.

Detection Guidance

Check Grav CMS versions for 2.0.3 or earlier. Inspect login plugin logs for unauthorized calls to regenerate2FASecret task without CSRF nonce. Monitor for unexpected 2FA secret changes in user accounts.

Impact Analysis

If you use Grav CMS versions 2.0.3 or earlier, an attacker who knows your password could bypass your 2FA and gain unauthorized access to your account. This could lead to data theft, account takeover, or other malicious activities. The attack requires no user interaction and can be executed remotely over the network.

Compliance Impact

This vulnerability could impact compliance with GDPR and HIPAA by allowing unauthorized access to sensitive data. GDPR requires protecting personal data, and HIPAA mandates safeguarding protected health information. A successful 2FA bypass could result in unauthorized data exposure, leading to potential violations and penalties.

Mitigation Strategies

Upgrade Grav CMS to version 2.0.4 or later immediately. Disable the login plugin's regenerate2FASecret task if not needed. Implement strict CSRF token validation for all sensitive actions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62232. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart