{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/grav--2.0.0-rc.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Grav (\u003c= 2.0.0-rc.1)"],"_cs_severities":["high"],"_cs_tags":["grav","twig","rce","secret-exfiltration"],"_cs_type":"advisory","_cs_vendors":["Grav"],"content_html":"\u003cp\u003eA vulnerability exists in Grav CMS version 2.0.0-rc.1 and earlier that allows users with the \u003ccode\u003eadmin.pages\u003c/code\u003e role to exfiltrate sensitive configuration data. The Twig sandbox configuration permits calls to the \u003ccode\u003eConfig::toArray()\u003c/code\u003e method, which exposes the entire merged site configuration, including plugin secrets. An editor-role user can inject a Twig code snippet into a page\u0026rsquo;s content, causing the full configuration to be rendered as JSON within the HTML. This issue was reported on May 13, 2026, and poses a significant risk to Grav CMS deployments by allowing unauthorized access to sensitive credentials. No administrator privileges are required for this exploit, broadening the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains editor-level access (\u003ccode\u003eadmin.pages\u003c/code\u003e role) to the Grav CMS admin panel.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a page with \u003ccode\u003eprocess.twig: true\u003c/code\u003e in the frontmatter to enable Twig processing.\u003c/li\u003e\n\u003cli\u003eAttacker inserts the payload \u003ccode\u003e{{ config.toArray()|json_encode|raw }}\u003c/code\u003e into the page body.\u003c/li\u003e\n\u003cli\u003eAttacker saves the page through the admin panel.\u003c/li\u003e\n\u003cli\u003eThe Grav CMS renders the page, executing the Twig code.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003econfig.toArray()\u003c/code\u003e function dumps the entire merged site configuration as a JSON string.\u003c/li\u003e\n\u003cli\u003eThe JSON string, containing sensitive plugin secrets, is embedded within the rendered HTML of the page.\u003c/li\u003e\n\u003cli\u003eAttacker accesses the rendered page, extracts the JSON string, and obtains plugin credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows any user with the editor role (\u003ccode\u003eadmin.pages\u003c/code\u003e) to exfiltrate all plugin credentials stored in the Grav CMS site configuration. This includes sensitive information such as SMTP passwords, AWS access/secret keys, OAuth client secrets, reCAPTCHA keys, and other API tokens. The compromise of these credentials can lead to unauthorized access to connected services, data breaches, and further lateral movement within the affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Grav CMS to a version beyond 2.0.0-rc.1 to address CVE-2026-44738.\u003c/li\u003e\n\u003cli\u003eRemove or restrict access to the \u003ccode\u003etoArray\u003c/code\u003e method in the Twig sandbox configuration (\u003ccode\u003esystem/config/security.yaml\u003c/code\u003e) for the \u003ccode\u003eGrav\\Common\\Config\\Config\u003c/code\u003e class to prevent unauthorized access to sensitive configuration data.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Grav CMS Config Exfiltration via Twig\u003c/code\u003e to monitor for exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and rotate any exposed credentials to minimize the impact of potential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T15:32:37Z","date_published":"2026-05-13T15:32:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-grav-twig-rce/","summary":"A vulnerability in the Grav CMS Twig sandbox allow-list allows any user with the `admin.pages` role to call `config.toArray()` from within a page body, dumping the entire merged site configuration, including all plugin secrets, into the rendered HTML.","title":"Grav CMS Twig Sandbox Vulnerability Allows Plugin Secret Exfiltration","url":"https://feed.craftedsignal.io/briefs/2026-05-grav-twig-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Grav (\u003c= 2.0.0-Rc.1)","version":"https://jsonfeed.org/version/1.1"}