CVE-2026-42608 Overview
CVE-2026-42608 is a path traversal vulnerability [CWE-22] in Grav, a file-based web platform maintained by getgrav. The flaw resides in the FormFlash core component and affects all releases prior to 2.0.0-beta.2. An unauthenticated attacker can manipulate the __form-flash-id parameter in POST requests to traverse the filesystem. Successful exploitation allows the creation of arbitrary directories and the writing of an index.yaml file containing attacker-controlled content. The vendor fixed the issue in version 2.0.0-beta.2.
Critical Impact
Unauthenticated remote attackers can write arbitrary index.yaml files outside the intended directory, leading to unauthorized modification of application behavior, data integrity loss, and service disruption.
Affected Products
- Getgrav Grav versions prior to 2.0.0-beta.2
- Getgrav Grav 2.0.0-beta1
- Grav installations exposing the FormFlash core component
Discovery Timeline
- 2026-05-11 - CVE-2026-42608 published to the National Vulnerability Database
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42608
Vulnerability Analysis
The vulnerability exists in Grav's FormFlash subsystem, which persists transient form data on disk between requests. Grav uses the session_id, received from the client as the __form-flash-id POST parameter, to construct the storage directory path for flash data. Because this client-supplied identifier is not sanitized for directory traversal sequences, an attacker can include ../ segments to escape the intended cache directory. The server then creates attacker-chosen directories anywhere the web process can write and stores an index.yaml file with attacker-supplied content inside the resulting path.
Because Grav loads YAML configuration files from various locations in its filesystem, writing a controlled index.yaml into a sensitive directory can alter site configuration, page content, or routing behavior. This converts a write primitive into a higher-impact modification of application logic.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The FormFlash handler trusts the __form-flash-id value to build a filesystem path without normalizing the input or validating that the resolved path remains within the designated flash storage root.
Attack Vector
Exploitation requires only network access to a vulnerable Grav instance and no authentication or user interaction. The attacker submits a crafted POST request containing a __form-flash-id value with traversal sequences, then includes form data that Grav serializes into the resulting index.yaml file. See the GitHub Security Advisory GHSA-hmcx-ch82-3fv2 for additional technical details.
Detection Methods for CVE-2026-42608
Indicators of Compromise
- POST requests containing __form-flash-id values with ../, ..\, or URL-encoded traversal sequences such as %2e%2e%2f.
- Unexpected index.yaml files appearing outside the Grav cache/ or tmp/ directories.
- New directories created under the web root or sibling paths with timestamps matching suspicious HTTP traffic.
Detection Strategies
- Inspect web server and application logs for anomalous __form-flash-id parameter values that include path separators or encoded traversal patterns.
- Use file integrity monitoring on the Grav installation directory to alert on unexpected directory creation and index.yaml writes.
- Correlate HTTP POST requests to form endpoints with subsequent filesystem changes observed on the host.
Monitoring Recommendations
- Forward Grav access logs and host filesystem telemetry into a centralized SIEM for cross-source correlation.
- Alert on creation of YAML files outside known Grav content and configuration paths.
- Track outbound HTTP behavior after suspicious form submissions to detect follow-on activity from a modified site configuration.
How to Mitigate CVE-2026-42608
Immediate Actions Required
- Upgrade all Grav instances to version 2.0.0-beta.2 or later without delay.
- Audit the filesystem for unauthorized index.yaml files and remove any not associated with legitimate content.
- Review web access logs for prior exploitation attempts referencing __form-flash-id.
Patch Information
The vendor fixed CVE-2026-42608 in Grav 2.0.0-beta.2. Patch details and remediation guidance are documented in the GitHub Security Advisory GHSA-hmcx-ch82-3fv2.
Workarounds
- Place a web application firewall (WAF) rule in front of Grav to block POST requests where __form-flash-id contains .., /, \, or URL-encoded equivalents.
- Restrict write permissions for the Grav process so it cannot create files outside the intended cache/ and tmp/ directories.
- Disable public access to form endpoints that rely on FormFlash until the upgrade is applied.
# Example WAF rule (ModSecurity) to block traversal in __form-flash-id
SecRule ARGS:__form-flash-id "@rx (\.\./|\.\.\\|%2e%2e%2f|%2e%2e/)" \
"id:1042608,phase:2,deny,status:400,log,\
msg:'CVE-2026-42608 Grav FormFlash path traversal attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
