CVE-2026-42609 Overview
CVE-2026-42609 is a business logic flaw in the Grav Admin Panel that allows a low-privileged user with only user creation permissions to overwrite existing accounts, including the primary administrator. The flaw exists in versions of Grav prior to 2.0.0-beta.2. When a low-privileged operator creates a new user with a username that already exists, Grav updates the existing account's metadata and permissions instead of rejecting the duplicate. Attackers exploit this to demote the root administrator, causing a Denial of Service (DoS) on administrative functions and effectively performing privilege de-escalation against the highest-privileged account. The issue is tracked under [CWE-269: Improper Privilege Management] and is fixed in 2.0.0-beta.2.
Critical Impact
An authenticated low-privileged Grav user can overwrite the root administrator account, locking out legitimate admins and disrupting site management.
Affected Products
- Getgrav Grav versions prior to 2.0.0-beta.2
- Getgrav Grav 2.0.0-beta1
- Grav Admin Panel (bundled administration plugin)
Discovery Timeline
- 2026-05-11 - CVE-2026-42609 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-42609
Vulnerability Analysis
Grav is a file-based content management system written in PHP. User accounts are stored as YAML files on disk rather than in a relational database, which makes the username the de-facto primary key for an account. The Admin Panel exposes a user creation workflow that accepts a username, email, password, and permission set from any operator who holds the user:create permission.
The vulnerable code path does not perform an existence check before writing the new user file. Submitting a creation request with a username that matches an existing account, including the root administrator, causes Grav to merge the attacker-supplied fields into the existing YAML file. The attacker controls the resulting permission flags, email, and password hash on the overwritten account.
The impact is twofold. Legitimate administrators lose access because their credentials and roles are replaced, producing a denial of service on every administrative function. The targeted account is downgraded to whatever permissions the attacker submits, which is the privilege de-escalation behavior captured by [CWE-269].
Root Cause
The Admin Panel's user-create handler treats user creation as an unconditional write rather than an insert-only operation. There is no uniqueness constraint on the username and no authorization check verifying that the caller is allowed to modify the target account. The file-based storage model amplifies the issue because writing user/accounts/admin.yaml silently replaces the existing record.
Attack Vector
The attacker must be authenticated to the Admin Panel with the user:create permission, which is intended for delegated user management roles. From that low-privileged session, the attacker submits a standard user creation form with the username set to admin (or any other existing privileged account), a password they control, and a reduced permission set. After submission, the attacker can authenticate as the overwritten account, while the original administrator is locked out.
// Patch context from system/src/Grav/Common/Config/Setup.php
// Source: https://github.com/getgrav/grav/commit/d904efc33e03ebb597afde8d3368b28cf0423632
use BadMethodCallException;
use Grav\Common\File\CompiledYamlFile;
use Grav\Common\Data\Data;
-use Grav\Common\Utils;
use InvalidArgumentException;
use Pimple\Container;
use Psr\Http\Message\ServerRequestInterface;
The d904efc commit is referenced in the advisory as the user-overwrite hardening fix and is bundled with related FormFlash traversal and salt leak corrections.
Detection Methods for CVE-2026-42609
Indicators of Compromise
- Modification timestamps on user/accounts/admin.yaml (or any high-privilege account file) that do not correspond to a known administrative action.
- New password hashes or changed email addresses in privileged account YAML files following a session from a non-administrative user.
- Failed administrator logins immediately after a successful user-create action by a low-privileged operator.
- Admin Panel audit log entries showing onAdminTaskExecute user-save events targeting pre-existing usernames.
Detection Strategies
- Monitor file integrity on the user/accounts/ directory and alert on writes to existing files by the web server user.
- Correlate Admin Panel access logs for POST /admin/users/<existing-username> or user-create requests whose payload username matches an existing account file.
- Compare daily snapshots of account YAML files to detect unexpected permission downgrades on admin-class accounts.
Monitoring Recommendations
- Centralize Grav web server logs and admin audit logs into a SIEM and build alerts on user-create activity originating from non-administrator sessions.
- Track authentication failure spikes for known administrator usernames as an early signal that an account has been overwritten.
- Review the list of accounts holding user:create permission and confirm each is required, since exploitation requires that role.
How to Mitigate CVE-2026-42609
Immediate Actions Required
- Upgrade Grav to version 2.0.0-beta.2 or later, which contains the user-overwrite hardening from commit d904efc.
- Audit the user/accounts/ directory for unexpected changes to administrator files and restore from backup if tampering is found.
- Temporarily revoke the user:create permission from non-administrator roles until the upgrade is applied.
- Rotate passwords and review permissions on all privileged accounts after upgrading.
Patch Information
The fix is delivered in Grav 2.0.0-beta.2. Relevant upstream commits are 5a12f9b, c66dfeb, and d904efc. Full advisory details are published in GitHub Security Advisory GHSA-rr73-568v-28f8.
Workarounds
- Restrict the Admin Panel to trusted networks using web server access controls or a VPN until the upgrade is completed.
- Remove the user:create permission from all non-administrator roles in user/accounts/groups.yaml.
- Set the operating-system permissions on existing administrator YAML files to read-only for the web server user to block overwrite attempts.
# Temporary mitigation: make existing admin account files read-only to the web user
chmod 0440 user/accounts/admin.yaml
chown root:www-data user/accounts/admin.yaml
# Upgrade Grav via the CLI once 2.0.0-beta.2 is available
bin/gpm selfupgrade -f
bin/gpm update
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
