{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/yaml-injection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["grav"],"_cs_severities":["critical"],"_cs_tags":["gravcms","privilege-escalation","yaml-injection"],"_cs_type":"advisory","_cs_vendors":["getgrav"],"content_html":"\u003cp\u003eA vulnerability in Grav CMS version \u003ccode\u003e2.0.0-beta.2\u003c/code\u003e allows a low-privileged, authenticated API user to escalate privileges to a super administrator. This flaw resides in the \u003ccode\u003e/api/v1/blueprint-upload\u003c/code\u003e endpoint. By manipulating the \u003ccode\u003edestination\u003c/code\u003e and \u003ccode\u003escope\u003c/code\u003e parameters, an attacker can write an arbitrary YAML file into the \u003ccode\u003euser/accounts/\u003c/code\u003e directory. This circumvents intended access controls, allowing the creation of a new administrator account with \u003ccode\u003eapi.super\u003c/code\u003e privileges. Exploitation requires only \u003ccode\u003eapi.media.write\u003c/code\u003e access. Successful exploitation leads to complete control over the CMS management API, potentially enabling further attacks such as code execution. This vulnerability was disclosed on May 6, 2026, and poses a significant threat to Grav CMS installations using the API plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Grav CMS API using a low-privileged account with \u003ccode\u003eapi.media.write\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to \u003ccode\u003e/api/v1/blueprint-upload\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes multipart form data with the \u003ccode\u003edestination\u003c/code\u003e parameter set to \u003ccode\u003eself@:\u003c/code\u003e and the \u003ccode\u003escope\u003c/code\u003e parameter set to \u003ccode\u003eusers/anything\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003efile\u003c/code\u003e parameter containing a YAML file crafted to create a new admin user, including setting a plaintext password and \u003ccode\u003eapi.super\u003c/code\u003e access.\u003c/li\u003e\n\u003cli\u003eThe Grav CMS API resolves the file path based on the \u003ccode\u003edestination\u003c/code\u003e and \u003ccode\u003escope\u003c/code\u003e parameters, writing the malicious YAML file to the \u003ccode\u003euser/accounts/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Grav CMS API using the newly created admin user credentials defined in the YAML file.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully logs in as a super administrator, gaining full access to the Grav CMS management API.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their elevated privileges to modify content, alter configurations, manage users, or install malicious plugins/themes, ultimately achieving complete CMS compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation grants an attacker full control over the Grav CMS instance.  An attacker can modify website content, alter configurations, manage users (including creating additional administrator accounts), install or update plugins/themes, and access system-level administration features. This can lead to complete CMS compromise, potentially resulting in data theft, defacement, or further exploitation, such as server-side code execution. The vulnerability allows any user with limited API access (\u003ccode\u003eapi.media.write\u003c/code\u003e) to create a super administrator account, drastically increasing the attack surface and potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Grav CMS to version \u003ccode\u003e2.0.0-beta.4\u003c/code\u003e or later to patch the vulnerability as per the advisory (\u003ca href=\"https://github.com/advisories/GHSA-6xx2-m8wv-756h)\"\u003ehttps://github.com/advisories/GHSA-6xx2-m8wv-756h)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Grav CMS Malicious Blueprint Upload\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring for suspicious blueprint uploads to the \u003ccode\u003euser/accounts\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Grav CMS New Admin User Creation via API\u003c/code\u003e to identify the creation of new admin users via the API endpoint.\u003c/li\u003e\n\u003cli\u003eRestrict \u003ccode\u003eapi.media.write\u003c/code\u003e permissions to only trusted users, reducing the potential attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T21:19:21Z","date_published":"2026-05-06T21:19:21Z","id":"/briefs/2024-01-grav-api-privesc/","summary":"A low-privileged authenticated API user with `api.media.write` can abuse `/api/v1/blueprint-upload` in Grav CMS to write an arbitrary YAML file into `user/accounts/`, enabling creation of a super-admin account and leading to full administrative compromise of the Grav API.","title":"Grav CMS API Blueprint Upload Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-grav-api-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Yaml-Injection","version":"https://jsonfeed.org/version/1.1"}