CVE-2026-42610 Overview
CVE-2026-42610 is an authorization flaw in Grav, a file-based content management platform. Versions prior to 2.0.0-beta.2 allow a low-privileged authenticated user, such as a Content Editor holding only pages.update permissions, to bypass the Twig sandbox by referencing the grav['accounts'] service. The bypass lets the attacker programmatically load administrative user objects and read sensitive material, including Bcrypt password hashes and the application security salt. The issue is categorized as an authorization weakness [CWE-863] and is fixed in Grav 2.0.0-beta.2.
Critical Impact
Authenticated low-privileged users can extract administrator password hashes and the security salt, enabling offline cracking and full takeover of the Grav installation.
Affected Products
- Getgrav Grav versions prior to 2.0.0-beta.2
- Grav 2.0.0-beta1
- Deployments where editor-tier accounts have pages.update permission
Discovery Timeline
- 2026-05-11 - CVE-2026-42610 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42610
Vulnerability Analysis
Grav uses a Twig sandbox to constrain what page authors can render through templates. The sandbox blocks dangerous PHP callables and Twig internals such as call_user_func and twig_array_map. However, the sandbox did not prevent access to the dependency injection container entry grav['accounts'], which exposes the user account collection.
A Content Editor with pages.update permission can place Twig markup inside a page body. When the page renders, the editor's template can iterate the accounts service, locate the admin user, and read object properties such as the Bcrypt hashed password and the security.salt value used for token generation.
With both values in hand, the attacker can perform offline dictionary or rainbow-table attacks against the administrator hash and forge signed tokens that rely on the salt. This converts a limited content-editing privilege into full administrative compromise of the Grav site.
Root Cause
The root cause is incomplete authorization within the Twig rendering layer [CWE-863]. The sandbox enforced a denylist of function names but did not restrict service-container lookups. The grav['accounts'] accessor returned live user model objects whose properties were readable through standard Twig property access.
Attack Vector
Exploitation requires network access to the Grav admin interface and a valid low-privileged account. No user interaction beyond authoring or updating a page is required. The patch in commit c66dfeb5ff679a1667678c6335eb9ff3255dfc47 extends the dangerous callable denylist and tightens sandbox boundaries.
// Patch excerpt: system/src/Grav/Common/Security.php
private const CALLABLE_DANGEROUS_NAMES = [
// Twig internals — every callback-taking helper. GHSA-vj3m-2g9h-vm4p (#5)
// called out the missing `twig_array_reduce`; adding the other Twig 3
// callback predicates (some/every) at the same time as defense-in-depth.
'twig_array_map', 'twig_array_filter', 'twig_array_reduce',
'twig_array_some', 'twig_array_every',
'call_user_func', 'call_user_func_array',
'forward_static_call', 'forward_static_call_array',
// Twig environment manipulation
'registerUndefinedFunctionCallback', 'registerUndefinedFilterCallback',
];
// Source: https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47
Detection Methods for CVE-2026-42610
Indicators of Compromise
- Page content or saved Twig templates containing references to grav['accounts'], grav.accounts, or iteration over user collections
- Unexpected edits to pages by accounts holding only pages.update permission
- Rendered pages that output strings matching the Bcrypt prefix $2y$ or that disclose the security.salt value
Detection Strategies
- Inspect the Grav user/pages/ directory for Markdown or Twig files that include {{ grav['accounts'] }} or similar service lookups
- Review Grav admin audit logs for page updates by low-privileged editors immediately followed by page-view requests from the same source IP
- Compare current page revisions against version control to flag inserted Twig expressions that reference container services
Monitoring Recommendations
- Forward Grav admin and web access logs to a centralized log platform and alert on requests where rendered HTML contains Bcrypt hash patterns
- Monitor for repeated GET requests to pages recently modified by non-administrator accounts
- Track outbound authentication failures and token usage anomalies that could indicate cracked credentials being tested
How to Mitigate CVE-2026-42610
Immediate Actions Required
- Upgrade Grav to version 2.0.0-beta.2 or later, which contains the fix in commit c66dfeb5ff679a1667678c6335eb9ff3255dfc47
- Rotate the security.salt value and force a password reset for all administrator accounts after patching
- Audit existing pages for Twig expressions referencing grav['accounts'] or other container services and remove them
- Review the permissions assigned to editor-tier accounts and remove unnecessary pages.update rights
Patch Information
The vendor fix is published in the GitHub Security Advisory GHSA-3f29-pqwf-v4j4 and the corresponding GitHub commit c66dfeb. The patch hardens the Twig sandbox denylist and restricts access to sensitive service-container entries. Operators should deploy 2.0.0-beta.2 or any later release.
Workarounds
- Restrict the pages.update permission to fully trusted administrators until the patch is applied
- Disable Twig processing in page content by setting process: twig: false in the affected page frontmatter or site configuration
- Place the Grav admin interface behind network access controls such as VPN or IP allowlisting to limit exposure
# Configuration example: disable Twig processing on user pages in user/config/system.yaml
pages:
process:
markdown: true
twig: false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
