{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/grav-login-plugin/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-62232"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Grav (\u003c 2.0.4)","Grav login plugin"],"_cs_severities":["high"],"_cs_tags":["grav","2fa-bypass","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["Grav"],"content_html":"\u003cp\u003eA significant vulnerability, identified as CVE-2026-62232, exists in Grav CMS versions prior to 2.0.4, specifically within its login plugin. This flaw allows for a complete bypass of two-factor authentication (2FA). Attackers who have already obtained a victim's password can exploit a critical authorization weakness in the \u003ccode\u003eregenerate2FASecret\u003c/code\u003e task. During the pending Time-based One-Time Password (TOTP) challenge window, this task only verifies user existence, not proper authorization, and notably lacks Cross-Site Request Forgery (CSRF) protection. By calling this task, an attacker can overwrite the victim's legitimate 2FA secret with an attacker-chosen value. This allows the attacker to compute a valid TOTP code and complete the authentication process, effectively rendering the 2FA mechanism useless and granting unauthorized access to the Grav administration panel. This vulnerability poses a severe risk to Grav installations that rely on 2FA for enhanced security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a valid user's password for a Grav CMS instance (pre-requisite).\u003c/li\u003e\n\u003cli\u003eAttacker initiates a login attempt to the Grav administration panel, submitting the valid password for the target user.\u003c/li\u003e\n\u003cli\u003eDuring the pending TOTP challenge window (after password submission but before 2FA code entry), the attacker sends an HTTP POST request to the \u003ccode\u003e/admin/login/task:regenerate2FASecret\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe Grav application processes this request, verifying the existence of the user but failing to perform proper authorization checks for the secret regeneration action.\u003c/li\u003e\n\u003cli\u003eDue to the lack of a CSRF nonce, the application accepts the attacker's request and overwrites the target user's legitimate 2FA secret with a new secret value provided or chosen by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker then calculates a valid TOTP code using the newly established, attacker-controlled 2FA secret.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the calculated TOTP code to complete the authentication process, bypassing the user's original 2FA setup.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized, authenticated access to the Grav administration panel, effectively reducing security to password-only protection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-62232 grants unauthorized access to the Grav CMS administration panel for any user whose password has been compromised. This directly compromises the integrity and confidentiality of the affected Grav installation, as attackers can then manipulate content, settings, and potentially deploy malicious code. The vulnerability effectively nullifies the security benefits of two-factor authentication, making user accounts as vulnerable as if only a password was required. The NVD assigns this vulnerability a CVSS 3.1 Base Score of 7.4 (High), indicating a significant security risk for organizations using vulnerable Grav instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch Grav CMS to version 2.0.4 or higher immediately to address CVE-2026-62232.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGrav 2FA Secret Regeneration Bypass\u003c/code\u003e to your SIEM system to detect exploitation attempts against CVE-2026-62232.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for suspicious HTTP POST requests to the \u003ccode\u003e/admin/login/task:regenerate2FASecret\u003c/code\u003e URI, especially if not preceded by a legitimate user-initiated 2FA regeneration flow.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T02:36:53Z","date_published":"2026-07-17T02:36:53Z","id":"https://feed.craftedsignal.io/briefs/2026-07-grav-2fa-bypass/","summary":"A high-severity two-factor authentication bypass vulnerability (CVE-2026-62232) in Grav CMS before version 2.0.4 allows an attacker with a victim's password to overwrite their 2FA secret via the `regenerate2FASecret` task, enabling unauthorized access by generating a valid TOTP code and reducing multi-factor authentication to password-only protection.","title":"Grav Two-Factor Authentication Bypass Vulnerability (CVE-2026-62232)","url":"https://feed.craftedsignal.io/briefs/2026-07-grav-2fa-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Grav Login Plugin","version":"https://jsonfeed.org/version/1.1"}