Grav CMS API Blueprint Upload Privilege Escalation

hello@craftedsignal.io — Wed, 06 May 2026 21:19:21 +0000

A vulnerability in Grav CMS version 2.0.0-beta.2 allows a low-privileged, authenticated API user to escalate privileges to a super administrator. This flaw resides in the /api/v1/blueprint-upload endpoint. By manipulating the destination and scope parameters, an attacker can write an arbitrary YAML file into the user/accounts/ directory. This circumvents intended access controls, allowing the creation of a new administrator account with api.super privileges. Exploitation requires only api.media.write access. Successful exploitation leads to complete control over the CMS management API, potentially enabling further attacks such as code execution. This vulnerability was disclosed on May 6, 2026, and poses a significant threat to Grav CMS installations using the API plugin.

Attack Chain

Attacker authenticates to the Grav CMS API using a low-privileged account with api.media.write permissions.
The attacker crafts a malicious HTTP POST request to /api/v1/blueprint-upload.
The request includes multipart form data with the destination parameter set to self@: and the scope parameter set to users/anything.
The request includes a file parameter containing a YAML file crafted to create a new admin user, including setting a plaintext password and api.super access.
The Grav CMS API resolves the file path based on the destination and scope parameters, writing the malicious YAML file to the user/accounts/ directory.
The attacker authenticates to the Grav CMS API using the newly created admin user credentials defined in the YAML file.
The attacker successfully logs in as a super administrator, gaining full access to the Grav CMS management API.
The attacker leverages their elevated privileges to modify content, alter configurations, manage users, or install malicious plugins/themes, ultimately achieving complete CMS compromise.

Impact

Successful exploitation grants an attacker full control over the Grav CMS instance. An attacker can modify website content, alter configurations, manage users (including creating additional administrator accounts), install or update plugins/themes, and access system-level administration features. This can lead to complete CMS compromise, potentially resulting in data theft, defacement, or further exploitation, such as server-side code execution. The vulnerability allows any user with limited API access (api.media.write) to create a super administrator account, drastically increasing the attack surface and potential for widespread damage.

Recommendation

Upgrade Grav CMS to version 2.0.0-beta.4 or later to patch the vulnerability as per the advisory (https://github.com/advisories/GHSA-6xx2-m8wv-756h).
Deploy the Sigma rule Detect Grav CMS Malicious Blueprint Upload to detect attempts to exploit this vulnerability by monitoring for suspicious blueprint uploads to the user/accounts directory.
Implement the Sigma rule Detect Grav CMS New Admin User Creation via API to identify the creation of new admin users via the API endpoint.
Restrict api.media.write permissions to only trusted users, reducing the potential attack surface.

Grav CMS Privilege De-escalation via User Overwrite

hello@craftedsignal.io — Wed, 06 May 2026 14:00:00 +0000

Grav CMS versions prior to 2.0.0-beta.2 are vulnerable to a privilege de-escalation attack. A low-privileged user with the admin.users.create permission can overwrite the primary administrator account by creating a new user with the same username. Due to an insecure "Create or Update" logic, the system updates the existing account's metadata and permissions instead of rejecting the request. Although the attacker cannot directly elevate their own privileges, they can effectively disable administrative accounts, leading to a complete loss of management control over the CMS. This vulnerability was addressed in Grav core on April 24, 2026, with commit d904efc33.

Attack Chain

An administrator creates a low-privileged user (e.g., adminuser) and grants them the admin.users.create permission.
The low-privileged user logs into the Grav Admin Panel.
The user navigates to the user creation page.
The user fills out the "Add User" form, using the username of an existing administrator account (e.g., root0).
The user submits the form, which triggers the vulnerable UserObject::save function.
The system overwrites the administrator account's configuration file (e.g., user/accounts/root0.yaml) with the provided details, effectively stripping the administrator's permissions.
The administrator attempts to log in, but their account now has reduced or no administrative privileges.
The attacker has effectively achieved privilege de-escalation, causing a denial of service for the administrator.

Impact

Successful exploitation of this vulnerability allows a low-privileged user to disable all administrative accounts in the Grav CMS. This leads to a complete loss of management control over the CMS, potentially impacting any Grav installation where non-admin users are granted permission to create other users. The vulnerability has been assigned CVE-2026-42609 with a severity rating of High.

Recommendation

Upgrade Grav CMS to version 2.0.0-beta.2 or later to address the vulnerability described in this brief.
Review user permissions and restrict admin.users.create permissions to trusted users only, particularly in versions prior to 2.0.0-beta.2.
Monitor webserver logs for unusual user creation requests, specifically attempts to create users with existing administrator usernames using the Sigma rule provided below.
Audit user accounts regularly to detect any unauthorized changes in permissions.

Grav - CraftedSignal Threat Feed

Grav CMS API Blueprint Upload Privilege Escalation

Attack Chain

Impact

Recommendation

Grav CMS Privilege De-escalation via User Overwrite

Attack Chain

Impact

Recommendation