Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42608

CVE-2026-42608: Getgrav Grav Path Traversal Vulnerability

CVE-2026-42608 is a path traversal vulnerability in Getgrav Grav that allows unauthenticated attackers to create arbitrary directories and write malicious files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-42608 Overview

CVE-2026-42608 is a path traversal vulnerability [CWE-22] in Grav, a file-based web platform maintained by getgrav. The flaw resides in the FormFlash core component and affects all releases prior to 2.0.0-beta.2. An unauthenticated attacker can manipulate the __form-flash-id parameter in POST requests to traverse the filesystem. Successful exploitation allows the creation of arbitrary directories and the writing of an index.yaml file containing attacker-controlled content. The vendor fixed the issue in version 2.0.0-beta.2.

Critical Impact

Unauthenticated remote attackers can write arbitrary index.yaml files outside the intended directory, leading to unauthorized modification of application behavior, data integrity loss, and service disruption.

Affected Products

  • Getgrav Grav versions prior to 2.0.0-beta.2
  • Getgrav Grav 2.0.0-beta1
  • Grav installations exposing the FormFlash core component

Discovery Timeline

  • 2026-05-11 - CVE-2026-42608 published to the National Vulnerability Database
  • 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-42608

Vulnerability Analysis

The vulnerability exists in Grav's FormFlash subsystem, which persists transient form data on disk between requests. Grav uses the session_id, received from the client as the __form-flash-id POST parameter, to construct the storage directory path for flash data. Because this client-supplied identifier is not sanitized for directory traversal sequences, an attacker can include ../ segments to escape the intended cache directory. The server then creates attacker-chosen directories anywhere the web process can write and stores an index.yaml file with attacker-supplied content inside the resulting path.

Because Grav loads YAML configuration files from various locations in its filesystem, writing a controlled index.yaml into a sensitive directory can alter site configuration, page content, or routing behavior. This converts a write primitive into a higher-impact modification of application logic.

Root Cause

The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The FormFlash handler trusts the __form-flash-id value to build a filesystem path without normalizing the input or validating that the resolved path remains within the designated flash storage root.

Attack Vector

Exploitation requires only network access to a vulnerable Grav instance and no authentication or user interaction. The attacker submits a crafted POST request containing a __form-flash-id value with traversal sequences, then includes form data that Grav serializes into the resulting index.yaml file. See the GitHub Security Advisory GHSA-hmcx-ch82-3fv2 for additional technical details.

Detection Methods for CVE-2026-42608

Indicators of Compromise

  • POST requests containing __form-flash-id values with ../, ..\, or URL-encoded traversal sequences such as %2e%2e%2f.
  • Unexpected index.yaml files appearing outside the Grav cache/ or tmp/ directories.
  • New directories created under the web root or sibling paths with timestamps matching suspicious HTTP traffic.

Detection Strategies

  • Inspect web server and application logs for anomalous __form-flash-id parameter values that include path separators or encoded traversal patterns.
  • Use file integrity monitoring on the Grav installation directory to alert on unexpected directory creation and index.yaml writes.
  • Correlate HTTP POST requests to form endpoints with subsequent filesystem changes observed on the host.

Monitoring Recommendations

  • Forward Grav access logs and host filesystem telemetry into a centralized SIEM for cross-source correlation.
  • Alert on creation of YAML files outside known Grav content and configuration paths.
  • Track outbound HTTP behavior after suspicious form submissions to detect follow-on activity from a modified site configuration.

How to Mitigate CVE-2026-42608

Immediate Actions Required

  • Upgrade all Grav instances to version 2.0.0-beta.2 or later without delay.
  • Audit the filesystem for unauthorized index.yaml files and remove any not associated with legitimate content.
  • Review web access logs for prior exploitation attempts referencing __form-flash-id.

Patch Information

The vendor fixed CVE-2026-42608 in Grav 2.0.0-beta.2. Patch details and remediation guidance are documented in the GitHub Security Advisory GHSA-hmcx-ch82-3fv2.

Workarounds

  • Place a web application firewall (WAF) rule in front of Grav to block POST requests where __form-flash-id contains .., /, \, or URL-encoded equivalents.
  • Restrict write permissions for the Grav process so it cannot create files outside the intended cache/ and tmp/ directories.
  • Disable public access to form endpoints that rely on FormFlash until the upgrade is applied.
bash
# Example WAF rule (ModSecurity) to block traversal in __form-flash-id
SecRule ARGS:__form-flash-id "@rx (\.\./|\.\.\\|%2e%2e%2f|%2e%2e/)" \
    "id:1042608,phase:2,deny,status:400,log,\
    msg:'CVE-2026-42608 Grav FormFlash path traversal attempt'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.