{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/grav--2.0.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-62230"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Grav \u003c 2.0.4"],"_cs_severities":["high"],"_cs_tags":["web-vulnerability","information-disclosure","grav"],"_cs_type":"advisory","_cs_vendors":["Grav"],"content_html":"\u003cp\u003eGrav, a popular flat-file CMS, prior to version 2.0.4, is vulnerable to a sensitive information disclosure flaw identified as CVE-2026-62230. The default \u003ccode\u003e.htaccess\u003c/code\u003e file, which is designed to block direct web access to sensitive file types such as \u003ccode\u003e.yaml\u003c/code\u003e, \u003ccode\u003e.php\u003c/code\u003e, and \u003ccode\u003e.json\u003c/code\u003e, lacks the necessary \u003ccode\u003e[NC]\u003c/code\u003e (No Case-insensitivity) flag in its rules. This oversight means that on operating systems with case-insensitive filesystems, including Windows (NTFS), macOS (HFS+), or environments utilizing Docker volume mounts, an unauthenticated attacker can bypass these intended restrictions. By simply requesting these sensitive files with uppercase or mixed-case extensions (e.g., \u003ccode\u003econfig.YAML\u003c/code\u003e instead of \u003ccode\u003econfig.yaml\u003c/code\u003e), the attacker can read their contents. This vulnerability poses a significant risk as these configuration files often contain critical data, such as API keys, database credentials, and other sensitive application settings, potentially leading to unauthorized access and further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Grav instance running on a web server deployed on a case-insensitive filesystem (e.g., Windows/NTFS, macOS/HFS+, or Docker volume mounts).\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance to identify the paths of sensitive configuration files within the Grav installation, such as \u003ccode\u003euser/config/security.yaml\u003c/code\u003e or other potentially sensitive \u003ccode\u003e.php\u003c/code\u003e and \u003ccode\u003e.json\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eTo bypass the existing \u003ccode\u003e.htaccess\u003c/code\u003e restrictions, the attacker crafts an HTTP GET request targeting one of these sensitive files, intentionally modifying its extension to uppercase or mixed-case (e.g., \u003ccode\u003e/user/config/security.YAML\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe web server, operating on the case-insensitive filesystem, successfully resolves the file path despite the altered casing of the extension.\u003c/li\u003e\n\u003cli\u003eThe default \u003ccode\u003e.htaccess\u003c/code\u003e rules, which are case-sensitive due to the missing \u003ccode\u003e[NC]\u003c/code\u003e flag, fail to match the uppercase or mixed-case extension, thus allowing the request to proceed instead of blocking it.\u003c/li\u003e\n\u003cli\u003eThe web server then processes the request and serves the full content of the sensitive configuration file to the attacker, bypassing the intended access control.\u003c/li\u003e\n\u003cli\u003eThe attacker collects and analyzes the retrieved file content to extract valuable information such as API keys, database credentials, or other sensitive configuration parameters, enabling further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-62230 allows an unauthenticated attacker to gain unauthorized access to sensitive configuration files within a Grav installation. These files frequently store critical data such as API keys, database credentials, environment variables, and other secrets. The exposure of such information can lead to severe consequences, including unauthorized access to backend systems, data breaches, privilege escalation, and further compromise of the affected Grav application and connected services. While specific victim counts are not available, any Grav instance prior to version 2.0.4 running on Windows, macOS, or Docker with default configurations is at risk of information disclosure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update Grav to version 2.0.4 or later to apply the official patch for CVE-2026-62230.\u003c/li\u003e\n\u003cli\u003eInspect existing \u003ccode\u003e.htaccess\u003c/code\u003e files for rules blocking access to sensitive file types (e.g., \u003ccode\u003e.yaml\u003c/code\u003e, \u003ccode\u003e.php\u003c/code\u003e, \u003ccode\u003e.json\u003c/code\u003e, \u003ccode\u003e.env\u003c/code\u003e) and ensure they include the \u003ccode\u003e[NC]\u003c/code\u003e (No Case-insensitivity) flag to prevent bypasses.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-62230 Exploitation - Grav .htaccess Bypass Attempt\u0026quot; to your SIEM to detect attempts to access sensitive files with altered casing.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs (webserver category) for suspicious GET requests to sensitive file extensions (e.g., \u003ccode\u003e.YAML\u003c/code\u003e, \u003ccode\u003e.PHP\u003c/code\u003e, \u003ccode\u003e.JSON\u003c/code\u003e, \u003ccode\u003e.ENV\u003c/code\u003e, \u003ccode\u003e.TXT\u003c/code\u003e) that result in successful HTTP status codes (e.g., 200 OK) where they should have been blocked.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T02:35:06Z","date_published":"2026-07-17T02:35:06Z","id":"https://feed.craftedsignal.io/briefs/2026-07-grav-htaccess-bypass/","summary":"An unauthenticated attacker can exploit a flaw in Grav prior to version 2.0.4 where the default .htaccess file's rules for blocking access to sensitive file types are case-sensitive, allowing bypass on case-insensitive filesystems (Windows, macOS, or Docker volume mounts) by requesting sensitive configuration files (e.g., .yaml, .php, .json) using uppercase or mixed-case extensions, leading to unauthorized reading of files that may contain API keys and credentials.","title":"Grav .htaccess Case-Insensitivity Bypass for Sensitive File Access","url":"https://feed.craftedsignal.io/briefs/2026-07-grav-htaccess-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Grav \u003c 2.0.4","version":"https://jsonfeed.org/version/1.1"}