Secret-Exfiltration — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/secret-exfiltration/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 13 May 2026 15:32:37 +0000Grav CMS Twig Sandbox Vulnerability Allows Plugin Secret Exfiltrationhttps://feed.craftedsignal.io/briefs/2026-05-grav-twig-rce/Wed, 13 May 2026 15:32:37 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-grav-twig-rce/A vulnerability in the Grav CMS Twig sandbox allow-list allows any user with the `admin.pages` role to call `config.toArray()` from within a page body, dumping the entire merged site configuration, including all plugin secrets, into the rendered HTML.A vulnerability exists in Grav CMS version 2.0.0-rc.1 and earlier that allows users with the admin.pages role to exfiltrate sensitive configuration data. The Twig sandbox configuration permits calls to the Config::toArray() method, which exposes the entire merged site configuration, including plugin secrets. An editor-role user can inject a Twig code snippet into a page’s content, causing the full configuration to be rendered as JSON within the HTML. This issue was reported on May 13, 2026, and poses a significant risk to Grav CMS deployments by allowing unauthorized access to sensitive credentials. No administrator privileges are required for this exploit, broadening the attack surface.

Attack Chain

  1. Attacker obtains editor-level access (admin.pages role) to the Grav CMS admin panel.
  2. Attacker crafts a page with process.twig: true in the frontmatter to enable Twig processing.
  3. Attacker inserts the payload {{ config.toArray()|json_encode|raw }} into the page body.
  4. Attacker saves the page through the admin panel.
  5. The Grav CMS renders the page, executing the Twig code.
  6. The config.toArray() function dumps the entire merged site configuration as a JSON string.
  7. The JSON string, containing sensitive plugin secrets, is embedded within the rendered HTML of the page.
  8. Attacker accesses the rendered page, extracts the JSON string, and obtains plugin credentials.

Impact

Successful exploitation allows any user with the editor role (admin.pages) to exfiltrate all plugin credentials stored in the Grav CMS site configuration. This includes sensitive information such as SMTP passwords, AWS access/secret keys, OAuth client secrets, reCAPTCHA keys, and other API tokens. The compromise of these credentials can lead to unauthorized access to connected services, data breaches, and further lateral movement within the affected systems.

Recommendation

  • Upgrade Grav CMS to a version beyond 2.0.0-rc.1 to address CVE-2026-44738.
  • Remove or restrict access to the toArray method in the Twig sandbox configuration (system/config/security.yaml) for the Grav\Common\Config\Config class to prevent unauthorized access to sensitive configuration data.
  • Deploy the Sigma rule Detect Grav CMS Config Exfiltration via Twig to monitor for exploitation attempts.
  • Review and rotate any exposed credentials to minimize the impact of potential compromise.
]]>highadvisorygravtwigrcesecret-exfiltration