CVE-2026-42610: CWE-863: Incorrect Authorization in getgrav grav
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This vulnerability is fixed in 2.0.0-beta.2.
AI Analysis
Technical Summary
CVE-2026-42610 is an incorrect authorization vulnerability (CWE-863) in the Grav file-based web platform. It affects versions before 2.0.0-beta.2, where a user with limited privileges can circumvent Twig sandbox restrictions by leveraging the grav['accounts'] service. This unauthorized access allows reading of administrative user objects and sensitive data such as password hashes and security salts. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity. No known exploits in the wild have been reported. The vulnerability is resolved in Grav version 2.0.0-beta.2.
Potential Impact
An attacker with low-level permissions can access sensitive administrative data, including password hashes and security salts, potentially aiding further attacks such as offline password cracking. However, the vulnerability does not allow direct modification or denial of service. The confidentiality impact is high, while integrity and availability impacts are not affected.
Mitigation Recommendations
Upgrade Grav to version 2.0.0-beta.2 or later to apply the official fix for this vulnerability. Since the vendor advisory confirms the issue is fixed in this version, no additional mitigations are required beyond patching. Patch status is confirmed by the vendor advisory stating the fix is included in 2.0.0-beta.2.
CVE-2026-42610: CWE-863: Incorrect Authorization in getgrav grav
Description
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This vulnerability is fixed in 2.0.0-beta.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42610 is an incorrect authorization vulnerability (CWE-863) in the Grav file-based web platform. It affects versions before 2.0.0-beta.2, where a user with limited privileges can circumvent Twig sandbox restrictions by leveraging the grav['accounts'] service. This unauthorized access allows reading of administrative user objects and sensitive data such as password hashes and security salts. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity. No known exploits in the wild have been reported. The vulnerability is resolved in Grav version 2.0.0-beta.2.
Potential Impact
An attacker with low-level permissions can access sensitive administrative data, including password hashes and security salts, potentially aiding further attacks such as offline password cracking. However, the vulnerability does not allow direct modification or denial of service. The confidentiality impact is high, while integrity and availability impacts are not affected.
Mitigation Recommendations
Upgrade Grav to version 2.0.0-beta.2 or later to apply the official fix for this vulnerability. Since the vendor advisory confirms the issue is fixed in this version, no additional mitigations are required beyond patching. Patch status is confirmed by the vendor advisory stating the fix is included in 2.0.0-beta.2.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-29T00:31:15.726Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a01f78ecbff5d86102f203b
Added to database: 5/11/2026, 3:36:46 PM
Last enriched: 5/11/2026, 3:53:57 PM
Last updated: 5/12/2026, 3:48:36 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.