CVE-2026-62234: Grav SSRF Vulnerability via Unrestricted cURL Protocols in Webhooks
An authenticated user with `api.webhooks.write` permissions can exploit CVE-2026-62234, a Server-Side Request Forgery (SSRF) vulnerability in Grav before version 2.0.4, by creating webhooks with unrestricted cURL protocols like `file://`, `dict://`, or `gopher://` to read local files, access process information, and pivot to internal services.
CVE-2026-62234 is a high-severity Server-Side Request Forgery (SSRF) vulnerability affecting Grav content management system versions prior to 2.0.4. This flaw allows authenticated attackers, specifically those with api.webhooks.write permissions, to bypass cURL protocol restrictions during webhook dispatch. By crafting malicious webhook URLs using file://, dict://, or gopher:// schemes, attackers can coerce the Grav application into making arbitrary requests to local files, internal network services, or querying process information. This capability enables unauthorized access to sensitive data, internal system reconnaissance, and potential pivoting into otherwise inaccessible internal infrastructure. While there is no current evidence of in-the-wild exploitation, the potential for significant data exposure and lateral movement makes this a critical concern for Grav users.
Attack Chain
- An attacker first obtains authenticated access to a Grav instance, potentially through compromised credentials or other initial access methods.
- The attacker ensures they possess the necessary
api.webhooks.writepermission required to create or modify webhooks within the Grav application. - The attacker crafts a malicious HTTP POST request to Grav's webhook creation API, embedding an SSRF payload as the webhook URL. This payload utilizes unrestricted cURL protocols such as
file:///etc/passwdfor local file access,dict://localhost:1234/commandfor arbitrary TCP connections, orgopher://internal-service/payloadfor interacting with internal network services. - The Grav application, specifically vulnerable versions before 2.0.4, processes this request and registers the webhook without properly validating or restricting the cURL protocol in the provided URL.
- The attacker then triggers the newly created webhook event, for example, by creating or updating content within Grav, or directly invoking the webhook via an API call if available.
- Upon trigger, the Grav application's cURL client attempts to connect to the malicious
file://,dict://, orgopher://URL as defined in the webhook. - The Grav application, acting as a proxy, performs actions such as reading specified local files, connecting to internal services on arbitrary ports, or querying sensitive process information.
- The results of the cURL request (e.g., file contents, service responses) are then returned to the Grav application, which the attacker can retrieve, leading to sensitive data exfiltration or enabling further lateral movement within the network.
Impact
Successful exploitation of CVE-2026-62234 can lead to severe consequences. Attackers can leverage this SSRF vulnerability to gain unauthorized access to critical system files, potentially exposing credentials, configuration details, or other sensitive information stored on the Grav host. The ability to access process information can aid in reconnaissance and exploit chaining. Furthermore, the unrestricted cURL protocols allow for pivoting to internal services that are not directly exposed to the internet, bypassing perimeter defenses and facilitating lateral movement within an organization's network. The CVSSv3.1 Base Score of 8.1 (High) and CVSSv4.0 score of 8.4 (High) reflect the critical nature of this vulnerability, primarily due to high confidentiality and integrity impacts.
Recommendation
- Patch CVE-2026-62234 immediately: Upgrade Grav to version 2.0.4 or later to address the vulnerability.
- Monitor outbound network connections: Implement network security monitoring to detect unusual outbound
file://,dict://, orgopher://requests originating from Grav servers. - Review user permissions: Regularly audit and restrict
api.webhooks.writepermissions to only trusted administrative users to limit the attack surface for this vulnerability.