Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42610

CVE-2026-42610: Getgrav Grav Auth Bypass Vulnerability

CVE-2026-42610 is an authentication bypass vulnerability in Getgrav Grav that allows low-privileged users to extract sensitive data including password hashes. This article covers the technical details, affected versions, and fixes.

Published:

CVE-2026-42610 Overview

CVE-2026-42610 is an authorization flaw in Grav, a file-based content management platform. Versions prior to 2.0.0-beta.2 allow a low-privileged authenticated user, such as a Content Editor holding only pages.update permissions, to bypass the Twig sandbox by referencing the grav['accounts'] service. The bypass lets the attacker programmatically load administrative user objects and read sensitive material, including Bcrypt password hashes and the application security salt. The issue is categorized as an authorization weakness [CWE-863] and is fixed in Grav 2.0.0-beta.2.

Critical Impact

Authenticated low-privileged users can extract administrator password hashes and the security salt, enabling offline cracking and full takeover of the Grav installation.

Affected Products

  • Getgrav Grav versions prior to 2.0.0-beta.2
  • Grav 2.0.0-beta1
  • Deployments where editor-tier accounts have pages.update permission

Discovery Timeline

  • 2026-05-11 - CVE-2026-42610 published to NVD
  • 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-42610

Vulnerability Analysis

Grav uses a Twig sandbox to constrain what page authors can render through templates. The sandbox blocks dangerous PHP callables and Twig internals such as call_user_func and twig_array_map. However, the sandbox did not prevent access to the dependency injection container entry grav['accounts'], which exposes the user account collection.

A Content Editor with pages.update permission can place Twig markup inside a page body. When the page renders, the editor's template can iterate the accounts service, locate the admin user, and read object properties such as the Bcrypt hashed password and the security.salt value used for token generation.

With both values in hand, the attacker can perform offline dictionary or rainbow-table attacks against the administrator hash and forge signed tokens that rely on the salt. This converts a limited content-editing privilege into full administrative compromise of the Grav site.

Root Cause

The root cause is incomplete authorization within the Twig rendering layer [CWE-863]. The sandbox enforced a denylist of function names but did not restrict service-container lookups. The grav['accounts'] accessor returned live user model objects whose properties were readable through standard Twig property access.

Attack Vector

Exploitation requires network access to the Grav admin interface and a valid low-privileged account. No user interaction beyond authoring or updating a page is required. The patch in commit c66dfeb5ff679a1667678c6335eb9ff3255dfc47 extends the dangerous callable denylist and tightens sandbox boundaries.

php
// Patch excerpt: system/src/Grav/Common/Security.php
private const CALLABLE_DANGEROUS_NAMES = [
    // Twig internals — every callback-taking helper. GHSA-vj3m-2g9h-vm4p (#5)
    // called out the missing `twig_array_reduce`; adding the other Twig 3
    // callback predicates (some/every) at the same time as defense-in-depth.
    'twig_array_map', 'twig_array_filter', 'twig_array_reduce',
    'twig_array_some', 'twig_array_every',
    'call_user_func', 'call_user_func_array',
    'forward_static_call', 'forward_static_call_array',
    // Twig environment manipulation
    'registerUndefinedFunctionCallback', 'registerUndefinedFilterCallback',
];
// Source: https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47

Detection Methods for CVE-2026-42610

Indicators of Compromise

  • Page content or saved Twig templates containing references to grav['accounts'], grav.accounts, or iteration over user collections
  • Unexpected edits to pages by accounts holding only pages.update permission
  • Rendered pages that output strings matching the Bcrypt prefix $2y$ or that disclose the security.salt value

Detection Strategies

  • Inspect the Grav user/pages/ directory for Markdown or Twig files that include {{ grav['accounts'] }} or similar service lookups
  • Review Grav admin audit logs for page updates by low-privileged editors immediately followed by page-view requests from the same source IP
  • Compare current page revisions against version control to flag inserted Twig expressions that reference container services

Monitoring Recommendations

  • Forward Grav admin and web access logs to a centralized log platform and alert on requests where rendered HTML contains Bcrypt hash patterns
  • Monitor for repeated GET requests to pages recently modified by non-administrator accounts
  • Track outbound authentication failures and token usage anomalies that could indicate cracked credentials being tested

How to Mitigate CVE-2026-42610

Immediate Actions Required

  • Upgrade Grav to version 2.0.0-beta.2 or later, which contains the fix in commit c66dfeb5ff679a1667678c6335eb9ff3255dfc47
  • Rotate the security.salt value and force a password reset for all administrator accounts after patching
  • Audit existing pages for Twig expressions referencing grav['accounts'] or other container services and remove them
  • Review the permissions assigned to editor-tier accounts and remove unnecessary pages.update rights

Patch Information

The vendor fix is published in the GitHub Security Advisory GHSA-3f29-pqwf-v4j4 and the corresponding GitHub commit c66dfeb. The patch hardens the Twig sandbox denylist and restricts access to sensitive service-container entries. Operators should deploy 2.0.0-beta.2 or any later release.

Workarounds

  • Restrict the pages.update permission to fully trusted administrators until the patch is applied
  • Disable Twig processing in page content by setting process: twig: false in the affected page frontmatter or site configuration
  • Place the Grav admin interface behind network access controls such as VPN or IP allowlisting to limit exposure
bash
# Configuration example: disable Twig processing on user pages in user/config/system.yaml
pages:
  process:
    markdown: true
    twig: false

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.