{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/web/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Login Plugin","Grav Core","grav-plugin-login"],"_cs_severities":["critical"],"_cs_tags":["grav","privilege-escalation","web"],"_cs_type":"advisory","_cs_vendors":["Grav"],"content_html":"\u003cp\u003eA critical privilege escalation vulnerability exists in the Grav CMS Login plugin, version 3.8.0, affecting Grav Core versions prior to 2.0.0-beta.2. The vulnerability stems from the \u003ccode\u003eLogin::register()\u003c/code\u003e method not validating the \u003ccode\u003egroups\u003c/code\u003e and \u003ccode\u003eaccess\u003c/code\u003e fields during user registration. If registration is enabled and these fields are included in the allowed registration fields, an unauthenticated user can craft a malicious registration request to assign themselves admin privileges. This can lead to complete compromise of the Grav CMS instance, allowing attackers to modify content, install malicious plugins, and potentially execute arbitrary code. The vulnerability is tracked as CVE-2026-42613. The fix was applied on 2026-04-24 and released in grav-plugin-login 3.8.2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Grav CMS instance with user registration enabled and the \u003ccode\u003egroups\u003c/code\u003e or \u003ccode\u003eaccess\u003c/code\u003e fields included in the allowed registration fields.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/user_register\u003c/code\u003e endpoint, including \u003ccode\u003eusername\u003c/code\u003e, \u003ccode\u003epassword\u003c/code\u003e, \u003ccode\u003eemail\u003c/code\u003e, and \u003ccode\u003efullname\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eThe attacker injects \u003ccode\u003egroups\u003c/code\u003e and \u003ccode\u003eaccess\u003c/code\u003e fields into the POST request with values designed to grant admin privileges (e.g., \u003ccode\u003egroups[]=admins\u003c/code\u003e, \u003ccode\u003eaccess[admin][super]=true\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eLogin::register()\u003c/code\u003e method processes the registration data without proper validation of the injected \u003ccode\u003egroups\u003c/code\u003e and \u003ccode\u003eaccess\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled \u003ccode\u003egroups\u003c/code\u003e and \u003ccode\u003eaccess\u003c/code\u003e values are assigned directly to the newly created user object.\u003c/li\u003e\n\u003cli\u003eThe user object is saved, creating a new user account with admin privileges in the \u003ccode\u003euser/accounts/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker logs in to the Grav admin panel using the newly created account.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their admin access to install malicious plugins or execute arbitrary code on the server, achieving complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants unauthenticated attackers full administrative access to the Grav CMS instance. This can lead to complete website defacement, data exfiltration, or remote code execution. Since no victim count or specific sector targeting is mentioned in the advisory, we can assume any Grav instance with the vulnerable configuration is at risk, potentially impacting numerous websites and organizations relying on Grav CMS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to grav-plugin-login version 3.8.2 or later to patch CVE-2026-42613.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, remove \u003ccode\u003egroups\u003c/code\u003e and \u003ccode\u003eaccess\u003c/code\u003e from the allowed registration fields in the Login plugin configuration.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Malicious Grav User Registration\u003c/code\u003e to identify registration attempts with injected admin privileges based on user-registration requests.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/user_register\u003c/code\u003e endpoint containing \u003ccode\u003egroups\u003c/code\u003e or \u003ccode\u003eaccess\u003c/code\u003e parameters using the \u003ccode\u003eGrav Registration Attempt with Group/Access Parameters\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-grav-privesc/","summary":"Unauthenticated users can escalate privileges to admin in Grav CMS by manipulating registration data due to missing server-side validation in the Login plugin.","title":"Grav Login Plugin Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-grav-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Web","version":"https://jsonfeed.org/version/1.1"}