CVE-2026-44738: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in getgrav grav
A vulnerability in Grav versions prior to 2. 0. 0-rc. 2 allows users with the admin. pages role to expose the entire merged site configuration, including sensitive plugin secrets, by calling config. toArray() within a page body. This exposure occurs without requiring full administrator privileges and results in sensitive information being dumped into rendered HTML. The issue is fixed in version 2. 0. 0-rc.
AI Analysis
Technical Summary
CVE-2026-44738 is a CWE-200 vulnerability in the Grav file-based web platform. Before version 2.0.0-rc.2, the Twig sandbox allow-list permits users with the admin.pages role to invoke config.toArray() from a page body, which causes the entire merged site configuration—including sensitive data such as SMTP passwords, AWS keys, OAuth client secrets, and API tokens—to be output in the rendered HTML. This exposure does not require administrator privileges. The vulnerability has a CVSS 3.1 score of 7.7 (high severity) and is fixed in Grav 2.0.0-rc.2. The product is a cloud service, and the vendor manages remediation for the hosted service.
Potential Impact
An attacker with the admin.pages role can access highly sensitive configuration data, including credentials and API keys, by exploiting this vulnerability. This exposure can lead to unauthorized access to external services and compromise of the overall system security. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix is available in Grav version 2.0.0-rc.2. Since this is a cloud service, the vendor typically manages remediation server-side. Users should verify with the vendor advisory that their instance is updated to 2.0.0-rc.2 or later to ensure this vulnerability is mitigated.
CVE-2026-44738: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in getgrav grav
Description
A vulnerability in Grav versions prior to 2. 0. 0-rc. 2 allows users with the admin. pages role to expose the entire merged site configuration, including sensitive plugin secrets, by calling config. toArray() within a page body. This exposure occurs without requiring full administrator privileges and results in sensitive information being dumped into rendered HTML. The issue is fixed in version 2. 0. 0-rc.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-44738 is a CWE-200 vulnerability in the Grav file-based web platform. Before version 2.0.0-rc.2, the Twig sandbox allow-list permits users with the admin.pages role to invoke config.toArray() from a page body, which causes the entire merged site configuration—including sensitive data such as SMTP passwords, AWS keys, OAuth client secrets, and API tokens—to be output in the rendered HTML. This exposure does not require administrator privileges. The vulnerability has a CVSS 3.1 score of 7.7 (high severity) and is fixed in Grav 2.0.0-rc.2. The product is a cloud service, and the vendor manages remediation for the hosted service.
Potential Impact
An attacker with the admin.pages role can access highly sensitive configuration data, including credentials and API keys, by exploiting this vulnerability. This exposure can lead to unauthorized access to external services and compromise of the overall system security. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix is available in Grav version 2.0.0-rc.2. Since this is a cloud service, the vendor typically manages remediation server-side. Users should verify with the vendor advisory that their instance is updated to 2.0.0-rc.2 or later to ensure this vulnerability is mitigated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-07T18:04:17.310Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a028783cbff5d86108b8ff6
Added to database: 5/12/2026, 1:50:59 AM
Last enriched: 5/12/2026, 1:51:20 AM
Last updated: 5/12/2026, 1:51:21 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.