CVE-2026-42613 Overview
CVE-2026-42613 is a critical privilege escalation vulnerability in the Grav content management system (CMS). The flaw resides in the Login::register() method of the Grav Login plugin. The method accepts attacker-controlled groups and access fields from registration POST data without server-side validation. When user registration is enabled and these fields appear in the configured allowed fields list, an unauthenticated attacker can self-register an account with admin.super privileges. The issue is tracked under CWE-20: Improper Input Validation and is fixed in Grav 2.0.0-beta.2.
Critical Impact
Unauthenticated attackers can create administrator accounts with admin.super privileges, granting full control over the affected Grav installation.
Affected Products
- Grav CMS versions prior to 2.0.0-beta.2
- Grav Login plugin (grav-plugin-login)
- Grav deployments with public registration enabled and groups/access listed in allowed fields
Discovery Timeline
- 2026-05-11 - CVE-2026-42613 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42613
Vulnerability Analysis
The vulnerability is a mass assignment flaw in the Grav Login plugin's registration handler. The Login::register() method processes registration form input and persists user attributes without filtering privileged fields. Two attributes are sensitive: groups, which determines group membership, and access, which defines per-user access control entries.
Grav uses access entries such as admin.super: true to grant administrative authority. By including these fields in the registration POST body, an attacker assigns themselves administrative rights at account creation. Authentication is not required because registration is intended for unauthenticated visitors.
The impact extends across confidentiality, integrity, and availability. An attacker with admin.super can read site content, modify pages and configuration, install plugins, and execute server-side code through Grav's administrative interfaces.
Root Cause
The root cause is missing server-side validation and field allow-listing inside Login::register(). The method trusts the configured allowed fields list, but that list can legitimately include user-controlled profile attributes alongside privileged ones such as groups and access. No separate enforcement prevents privileged attributes from being assigned during registration.
Attack Vector
The attack is performed over the network against the public registration endpoint. The attacker submits a registration request that includes additional parameters for groups and access, specifying administrative values. The server stores the account with the supplied privileges. The attacker then authenticates and reaches the admin panel.
No exploit code is publicly verified. Refer to the GitHub Security Advisory GHSA-pxm6-mhxr-q4mj and GHSA-w48r-jppp-rcfw for technical details.
Detection Methods for CVE-2026-42613
Indicators of Compromise
- New user accounts in user/accounts/ containing access: entries with admin.super: true that were not provisioned by administrators.
- Registration POST requests in web server logs containing data[groups] or data[access] parameters.
- Admin panel logins from accounts created shortly after suspicious registration requests.
- Unexpected plugin installations, configuration changes, or page modifications following account creation events.
Detection Strategies
- Audit the user/accounts/ directory for YAML files containing privileged groups or access keys that do not match the expected administrator inventory.
- Inspect web access logs for POST requests to the registration URL (typically /user/register or the configured route_register) that include groups or access fields.
- Compare the configured allowed_fields list in the Login plugin configuration against the documented safe defaults.
Monitoring Recommendations
- Alert on creation of any user file in user/accounts/ that contains admin. access entries.
- Monitor administrative actions performed by recently created accounts during the first 24 hours after registration.
- Forward Grav and web server logs to a central log analytics platform for correlation of registration events with subsequent privileged actions.
How to Mitigate CVE-2026-42613
Immediate Actions Required
- Upgrade Grav and the Login plugin to 2.0.0-beta.2 or later.
- Disable public user registration until the upgrade is complete by setting enabled: false under the Login plugin's user registration configuration.
- Review and remove groups and access from the allowed_fields list in the Login plugin configuration if registration must remain enabled on an unpatched instance.
- Audit existing accounts for unauthorized admin.super privileges and remove any accounts that were not provisioned by administrators.
Patch Information
The fix is delivered in Grav 2.0.0-beta.2. The remediation commit is available at getgrav/grav-plugin-login commit 3d419a0. The patch removes groups and access from the set of fields that can be assigned during self-registration.
Workarounds
- Disable the Login plugin's registration feature on unpatched instances.
- Restrict access to the registration endpoint at the web server or reverse proxy layer until patching is complete.
- Remove groups and access from the Login plugin allowed_fields configuration if registration cannot be disabled.
# Configuration example: user/config/plugins/login.yaml
user_registration:
enabled: false
fields:
- username
- email
- password
- fullname
# Ensure 'groups' and 'access' are NOT present in the fields list
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
