CVE-2026-62236
Received Received - Intake

CSRF in Grav Plugin Login Regenerates TOTP Secret

Vulnerability report for CVE-2026-62236, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

grav-plugin-login before 3.8.11 contains a cross-site request forgery (CSRF) vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core dispatches the task from the GET 'task:' URI parameter and the default session cookie is SameSite=Lax, an attacker can lure a logged-in victim to an off-site page that performs a top-level GET navigation, rotating the victim's TOTP secret so their enrolled authenticator no longer matches the server, effectively forcing 2FA re-enrollment. Sites configured with session.samesite: Strict are not affected.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
grav plugin_login to 3.8.11 (exc)
getgrav grav-plugin-login to 3.8.11 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) in the grav-plugin-login before version 3.8.11. It allows an attacker to rotate a logged-in user's two-factor authentication (TOTP) secret without their consent by exploiting a missing anti-CSRF check in the login.regenerate2FASecret task. The attack works by tricking a victim into visiting a malicious link, which triggers a GET request to change their TOTP secret, desynchronizing their authenticator app.

Detection Guidance

Check if grav-plugin-login versions before 3.8.11 are installed by inspecting the plugin directory or running Grav's admin panel. Look for unauthorized changes to user TOTP secrets or 2FA re-enrollment events in logs. Monitor network traffic for suspicious GET requests to the login.regenerate2FASecret task endpoint.

Impact Analysis

If you use grav-plugin-login with 2FA enabled, an attacker could force you to re-enroll in 2FA by changing your TOTP secret. This could lock you out of your account temporarily until you re-enroll. The attack requires you to be logged in and have 2FA enabled, but it does not require additional authentication.

Compliance Impact

This vulnerability primarily impacts authentication security by allowing an attacker to bypass two-factor authentication (2FA) through a CSRF attack. For compliance standards like GDPR or HIPAA, which require strong authentication and protection of sensitive data, this vulnerability could undermine security controls. If an attacker forces a user to re-enroll in 2FA, it may expose gaps in access controls, potentially violating requirements for secure authentication mechanisms.

Mitigation Strategies

Update grav-plugin-login to version 3.8.11 or later immediately. Review and enforce stricter session cookie settings (SameSite=Strict) if possible. Audit user accounts for unauthorized 2FA secret changes and re-enroll affected users.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62236. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart