← back
CVE-2026-42613

Grav: Privilege Escalation via Missing Server-Side Validation of groups/access

CVSS 9.4 CRITICALEPSS 0.9%CWE-20CWE-862
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are included in the configured allowed fields list, an unauthenticated user can self-register with admin.super privileges by injecting these fields into the registration request. This vulnerability is fixed in 2.0.0-beta.2.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Affected products
getgrav · grav
public PoCs found1
cve_referencegithub.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfwunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/getgrav/grav-plugin-login/commit/3d419a0dabd70aed1fd49afcd5919004a4141da1https://github.com/getgrav/grav/security/advisories/GHSA-pxm6-mhxr-q4mjhttps://github.com/getgrav/grav/security/advisories/GHSA-w48r-jppp-rcfw