CVE-2026-62232: Missing Authorization in getgrav grav
Grav versions prior to 2.0.4 have a critical vulnerability in the login plugin that allows bypassing two-factor authentication (2FA). The regenerate2FASecret task improperly checks only for user existence without verifying authorization during the pending TOTP challenge window. An attacker who knows a victim's password can exploit this to overwrite the victim's 2FA secret with a value of their choice, generate a valid TOTP code, and complete authentication, effectively reducing 2FA protection to password-only.
AI Analysis
Technical Summary
CVE-2026-62232 affects Grav before version 2.0.4. The vulnerability lies in the login plugin's regenerate2FASecret task, which fails to enforce proper authorization checks during the pending TOTP challenge window. This allows an attacker with knowledge of a victim's password to call this task without a CSRF nonce, overwrite the victim's two-factor authentication secret with an attacker-controlled value, compute a valid TOTP code, and bypass the intended 2FA protection. This reduces the security of the authentication process to relying solely on the password.
Potential Impact
Successful exploitation allows attackers who know a victim's password to bypass two-factor authentication by resetting the victim's 2FA secret to an attacker-chosen value. This compromises the multi-factor authentication mechanism, effectively reducing account security to password-only protection and increasing the risk of unauthorized access.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the regenerate2FASecret task, monitor for suspicious activity involving 2FA secret regeneration, and enforce strong password policies. Avoid using affected versions and upgrade promptly once a patch is released.
CVE-2026-62232: Missing Authorization in getgrav grav
Description
Grav versions prior to 2.0.4 have a critical vulnerability in the login plugin that allows bypassing two-factor authentication (2FA). The regenerate2FASecret task improperly checks only for user existence without verifying authorization during the pending TOTP challenge window. An attacker who knows a victim's password can exploit this to overwrite the victim's 2FA secret with a value of their choice, generate a valid TOTP code, and complete authentication, effectively reducing 2FA protection to password-only.
CVSS v4.0
Score 9.1critical
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-62232 affects Grav before version 2.0.4. The vulnerability lies in the login plugin's regenerate2FASecret task, which fails to enforce proper authorization checks during the pending TOTP challenge window. This allows an attacker with knowledge of a victim's password to call this task without a CSRF nonce, overwrite the victim's two-factor authentication secret with an attacker-controlled value, compute a valid TOTP code, and bypass the intended 2FA protection. This reduces the security of the authentication process to relying solely on the password.
Potential Impact
Successful exploitation allows attackers who know a victim's password to bypass two-factor authentication by resetting the victim's 2FA secret to an attacker-chosen value. This compromises the multi-factor authentication mechanism, effectively reducing account security to password-only protection and increasing the risk of unauthorized access.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the regenerate2FASecret task, monitor for suspicious activity involving 2FA secret regeneration, and enforce strong password policies. Avoid using affected versions and upgrade promptly once a patch is released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-07-13T16:40:10.961Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a59784168715ace4305da62
Added to database: 07/17/2026, 00:33:05 UTC
Last enriched: 07/17/2026, 00:47:59 UTC
Last updated: 07/17/2026, 03:56:31 UTC
Views: 20
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.