Grav CMS Privilege De-escalation via User Overwrite

Grav CMS versions prior to 2.0.0-beta.2 are vulnerable to a privilege de-escalation attack. A low-privileged user with the admin.users.create permission can overwrite the primary administrator account by creating a new user with the same username. Due to an insecure “Create or Update” logic, the system updates the existing account’s metadata and permissions instead of rejecting the request. Although the attacker cannot directly elevate their own privileges, they can effectively disable administrative accounts, leading to a complete loss of management control over the CMS. This vulnerability was addressed in Grav core on April 24, 2026, with commit d904efc33.

Attack Chain

1. An administrator creates a low-privileged user (e.g., adminuser) and grants them the admin.users.create permission.
2. The low-privileged user logs into the Grav Admin Panel.
3. The user navigates to the user creation page.
4. The user fills out the “Add User” form, using the username of an existing administrator account (e.g., root0).
5. The user submits the form, which triggers the vulnerable UserObject::save function.
6. The system overwrites the administrator account’s configuration file (e.g., user/accounts/root0.yaml) with the provided details, effectively stripping the administrator’s permissions.
7. The administrator attempts to log in, but their account now has reduced or no administrative privileges.
8. The attacker has effectively achieved privilege de-escalation, causing a denial of service for the administrator.

Impact

Successful exploitation of this vulnerability allows a low-privileged user to disable all administrative accounts in the Grav CMS. This leads to a complete loss of management control over the CMS, potentially impacting any Grav installation where non-admin users are granted permission to create other users. The vulnerability has been assigned CVE-2026-42609 with a severity rating of High.

Recommendation

• Upgrade Grav CMS to version 2.0.0-beta.2 or later to address the vulnerability described in this brief.
• Review user permissions and restrict admin.users.create permissions to trusted users only, particularly in versions prior to 2.0.0-beta.2.
• Monitor webserver logs for unusual user creation requests, specifically attempts to create users with existing administrator usernames using the Sigma rule provided below.
• Audit user accounts regularly to detect any unauthorized changes in permissions.