Product
An unauthenticated attacker can exploit a flaw in Grav prior to version 2.0.4 where the default .htaccess file's rules for blocking access to sensitive file types are case-sensitive, allowing bypass on case-insensitive filesystems (Windows, macOS, or Docker volume mounts) by requesting sensitive configuration files (e.g., .yaml, .php, .json) using uppercase or mixed-case extensions, leading to unauthorized reading of files that may contain API keys and credentials.