Yaml-Injection — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/yaml-injection/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 06 May 2026 21:19:21 +0000Grav CMS API Blueprint Upload Privilege Escalationhttps://feed.craftedsignal.io/briefs/2024-01-grav-api-privesc/Wed, 06 May 2026 21:19:21 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-grav-api-privesc/A low-privileged authenticated API user with `api.media.write` can abuse `/api/v1/blueprint-upload` in Grav CMS to write an arbitrary YAML file into `user/accounts/`, enabling creation of a super-admin account and leading to full administrative compromise of the Grav API.A vulnerability in Grav CMS version 2.0.0-beta.2 allows a low-privileged, authenticated API user to escalate privileges to a super administrator. This flaw resides in the /api/v1/blueprint-upload endpoint. By manipulating the destination and scope parameters, an attacker can write an arbitrary YAML file into the user/accounts/ directory. This circumvents intended access controls, allowing the creation of a new administrator account with api.super privileges. Exploitation requires only api.media.write access. Successful exploitation leads to complete control over the CMS management API, potentially enabling further attacks such as code execution. This vulnerability was disclosed on May 6, 2026, and poses a significant threat to Grav CMS installations using the API plugin.

Attack Chain

  1. Attacker authenticates to the Grav CMS API using a low-privileged account with api.media.write permissions.
  2. The attacker crafts a malicious HTTP POST request to /api/v1/blueprint-upload.
  3. The request includes multipart form data with the destination parameter set to self@: and the scope parameter set to users/anything.
  4. The request includes a file parameter containing a YAML file crafted to create a new admin user, including setting a plaintext password and api.super access.
  5. The Grav CMS API resolves the file path based on the destination and scope parameters, writing the malicious YAML file to the user/accounts/ directory.
  6. The attacker authenticates to the Grav CMS API using the newly created admin user credentials defined in the YAML file.
  7. The attacker successfully logs in as a super administrator, gaining full access to the Grav CMS management API.
  8. The attacker leverages their elevated privileges to modify content, alter configurations, manage users, or install malicious plugins/themes, ultimately achieving complete CMS compromise.

Impact

Successful exploitation grants an attacker full control over the Grav CMS instance. An attacker can modify website content, alter configurations, manage users (including creating additional administrator accounts), install or update plugins/themes, and access system-level administration features. This can lead to complete CMS compromise, potentially resulting in data theft, defacement, or further exploitation, such as server-side code execution. The vulnerability allows any user with limited API access (api.media.write) to create a super administrator account, drastically increasing the attack surface and potential for widespread damage.

Recommendation

  • Upgrade Grav CMS to version 2.0.0-beta.4 or later to patch the vulnerability as per the advisory (https://github.com/advisories/GHSA-6xx2-m8wv-756h).
  • Deploy the Sigma rule Detect Grav CMS Malicious Blueprint Upload to detect attempts to exploit this vulnerability by monitoring for suspicious blueprint uploads to the user/accounts directory.
  • Implement the Sigma rule Detect Grav CMS New Admin User Creation via API to identify the creation of new admin users via the API endpoint.
  • Restrict api.media.write permissions to only trusted users, reducing the potential attack surface.
]]>criticaladvisorygravcmsprivilege-escalationyaml-injection