<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Grav &lt; 2.0.4 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/grav--2.0.4/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 02:35:06 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/grav--2.0.4/feed.xml" rel="self" type="application/rss+xml"/><item><title>Grav .htaccess Case-Insensitivity Bypass for Sensitive File Access</title><link>https://feed.craftedsignal.io/briefs/2026-07-grav-htaccess-bypass/</link><pubDate>Fri, 17 Jul 2026 02:35:06 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-grav-htaccess-bypass/</guid><description>An unauthenticated attacker can exploit a flaw in Grav prior to version 2.0.4 where the default .htaccess file's rules for blocking access to sensitive file types are case-sensitive, allowing bypass on case-insensitive filesystems (Windows, macOS, or Docker volume mounts) by requesting sensitive configuration files (e.g., .yaml, .php, .json) using uppercase or mixed-case extensions, leading to unauthorized reading of files that may contain API keys and credentials.</description><content:encoded><![CDATA[<p>Grav, a popular flat-file CMS, prior to version 2.0.4, is vulnerable to a sensitive information disclosure flaw identified as CVE-2026-62230. The default <code>.htaccess</code> file, which is designed to block direct web access to sensitive file types such as <code>.yaml</code>, <code>.php</code>, and <code>.json</code>, lacks the necessary <code>[NC]</code> (No Case-insensitivity) flag in its rules. This oversight means that on operating systems with case-insensitive filesystems, including Windows (NTFS), macOS (HFS+), or environments utilizing Docker volume mounts, an unauthenticated attacker can bypass these intended restrictions. By simply requesting these sensitive files with uppercase or mixed-case extensions (e.g., <code>config.YAML</code> instead of <code>config.yaml</code>), the attacker can read their contents. This vulnerability poses a significant risk as these configuration files often contain critical data, such as API keys, database credentials, and other sensitive application settings, potentially leading to unauthorized access and further compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a Grav instance running on a web server deployed on a case-insensitive filesystem (e.g., Windows/NTFS, macOS/HFS+, or Docker volume mounts).</li>
<li>The attacker performs reconnaissance to identify the paths of sensitive configuration files within the Grav installation, such as <code>user/config/security.yaml</code> or other potentially sensitive <code>.php</code> and <code>.json</code> files.</li>
<li>To bypass the existing <code>.htaccess</code> restrictions, the attacker crafts an HTTP GET request targeting one of these sensitive files, intentionally modifying its extension to uppercase or mixed-case (e.g., <code>/user/config/security.YAML</code>).</li>
<li>The web server, operating on the case-insensitive filesystem, successfully resolves the file path despite the altered casing of the extension.</li>
<li>The default <code>.htaccess</code> rules, which are case-sensitive due to the missing <code>[NC]</code> flag, fail to match the uppercase or mixed-case extension, thus allowing the request to proceed instead of blocking it.</li>
<li>The web server then processes the request and serves the full content of the sensitive configuration file to the attacker, bypassing the intended access control.</li>
<li>The attacker collects and analyzes the retrieved file content to extract valuable information such as API keys, database credentials, or other sensitive configuration parameters, enabling further malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful exploitation of CVE-2026-62230 allows an unauthenticated attacker to gain unauthorized access to sensitive configuration files within a Grav installation. These files frequently store critical data such as API keys, database credentials, environment variables, and other secrets. The exposure of such information can lead to severe consequences, including unauthorized access to backend systems, data breaches, privilege escalation, and further compromise of the affected Grav application and connected services. While specific victim counts are not available, any Grav instance prior to version 2.0.4 running on Windows, macOS, or Docker with default configurations is at risk of information disclosure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update Grav to version 2.0.4 or later to apply the official patch for CVE-2026-62230.</li>
<li>Inspect existing <code>.htaccess</code> files for rules blocking access to sensitive file types (e.g., <code>.yaml</code>, <code>.php</code>, <code>.json</code>, <code>.env</code>) and ensure they include the <code>[NC]</code> (No Case-insensitivity) flag to prevent bypasses.</li>
<li>Deploy the Sigma rule &quot;Detects CVE-2026-62230 Exploitation - Grav .htaccess Bypass Attempt&quot; to your SIEM to detect attempts to access sensitive files with altered casing.</li>
<li>Monitor web server access logs (webserver category) for suspicious GET requests to sensitive file extensions (e.g., <code>.YAML</code>, <code>.PHP</code>, <code>.JSON</code>, <code>.ENV</code>, <code>.TXT</code>) that result in successful HTTP status codes (e.g., 200 OK) where they should have been blocked.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web-vulnerability</category><category>information-disclosure</category><category>grav</category></item></channel></rss>