CVE-2026-62234
Received Received - Intake

Grav Webhook Arbitrary File Read via cURL Protocol Restriction Bypass

Vulnerability report for CVE-2026-62234, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

Grav before 2.0.4 fails to restrict cURL protocols in webhook dispatch, allowing authenticated users with api.webhooks.write permission to create webhooks with file://, dict://, or gopher:// URLs. Attackers can trigger webhook events to read local files, access process information, or pivot to internal services via unrestricted protocol handlers.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
grav grav to 2.0.4 (exc)
getgrav grav to 2.0.4 (exc)
getgrav grav 2.0.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Grav before 2.0.4 has a Server-Side Request Forgery (SSRF) flaw due to unrestricted cURL protocols in webhook dispatch. Authenticated users with api.webhooks.write permission can create webhooks using file://, dict://, or gopher:// URLs. This allows attackers to read local files, access process information, or pivot to internal services by triggering webhook events with these protocols.

Detection Guidance

Check Grav CMS version with: grep -r "version" /var/www/html/user/config/system.yaml. If version is below 2.0.4, the system is vulnerable. Inspect webhook configurations for file://, dict://, or gopher:// URLs in the Grav admin panel or database.

Impact Analysis

An attacker could exploit this to read sensitive local files like /etc/passwd, access internal services via protocols like dict://, or exfiltrate cloud metadata. This could lead to data breaches, unauthorized system access, or lateral movement within a network.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating GDPR's data protection principles or HIPAA's security requirements for protected health information. Organizations may face compliance violations, fines, or legal consequences if exploited.

Mitigation Strategies

Upgrade Grav CMS to version 2.0.4 or later immediately. Remove or disable webhooks using unsafe protocols like file://, dict://, or gopher://. Restrict api.webhooks.write permission to trusted users only.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62234. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart