CVE-2025-66306 is a security vulnerability classified as CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Grav CMS Admin Panel in versions prior to 1.8.0-beta.27. Grav is a file-based web platform used for content management. The vulnerability arises from an Insecure Direct Object Reference (IDOR) flaw, where low-privilege users can manipulate request parameters to access sensitive information belonging to other user accounts. Specifically, unauthorized users can retrieve admin email addresses and other metadata, which are not intended to be publicly accessible or viewable by non-privileged users. Although this flaw does not allow attackers to take over accounts directly or modify data, the exposure of sensitive metadata can facilitate secondary attacks such as phishing campaigns, credential stuffing, or social engineering. The vulnerability has a CVSS v3.1 base score of 4.3, indicating medium severity, with the vector indicating network attack vector, low attack complexity, requiring privileges but no user interaction, and limited confidentiality impact without affecting integrity or availability. The flaw was publicly disclosed on December 1, 2025, and fixed in Grav version 1.8.0-beta.27. No known exploits have been reported in the wild to date. The vulnerability affects all Grav CMS installations running versions older than 1.8.0-beta.27 that have the Admin Panel enabled and accessible to low-privilege users.

For European organizations using Grav CMS, this vulnerability primarily threatens the confidentiality of sensitive administrative metadata, such as email addresses. Exposure of such information can increase the risk of targeted phishing attacks, which are a common vector for initial compromise in many cyberattacks. Credential stuffing attacks may also be facilitated if attackers use leaked emails combined with password lists from other breaches. Social engineering risks rise as attackers gain insights into organizational structure and personnel. While the vulnerability does not allow direct account takeover or system compromise, the indirect risks can lead to significant security incidents if attackers leverage the exposed information effectively. Organizations in sectors with high phishing risks, such as finance, government, healthcare, and critical infrastructure, may face elevated threats. Additionally, the presence of low-privilege users with access to the Admin Panel increases the attack surface. The impact is thus moderate but can cascade into more severe breaches if combined with other vulnerabilities or weak security practices.

European organizations should immediately upgrade Grav CMS installations to version 1.8.0-beta.27 or later to remediate this vulnerability. If immediate patching is not feasible, restrict access to the Admin Panel to only trusted and fully authorized users, employing network segmentation and IP whitelisting where possible. Implement strict role-based access controls (RBAC) to ensure that low-privilege users cannot access sensitive metadata. Monitor access logs for unusual or unauthorized attempts to access user data. Employ multi-factor authentication (MFA) for all administrative accounts to reduce the risk of credential compromise. Conduct phishing awareness training for staff to mitigate risks from potential phishing attacks leveraging exposed email addresses. Regularly audit CMS configurations and user privileges to ensure compliance with the principle of least privilege. Finally, consider deploying web application firewalls (WAFs) with rules designed to detect and block suspicious parameter tampering attempts targeting the Admin Panel.