CVE-2026-42844 Overview
CVE-2026-42844 is a privilege escalation vulnerability in Grav, a file-based Web platform. The flaw affects Grav 2.0.0-beta.2 and allows a low-privileged authenticated API user holding the api.media.write permission to abuse the /api/v1/blueprint-upload endpoint. Attackers write an arbitrary YAML file into user/accounts/, effectively creating a new account with api.super privileges. After authenticating as the attacker-controlled account, adversaries gain full administrative control of the Grav API. The issue is tracked under [CWE-269: Improper Privilege Management] and is fixed in Grav API 1.0.0-beta.17.
Critical Impact
Authenticated low-privilege API users can escalate to full administrative control of the Grav API by writing a crafted YAML account file.
Affected Products
- Grav 2.0.0-beta.2 (file-based Web platform)
- Grav API versions prior to 1.0.0-beta.17
- Deployments exposing /api/v1/blueprint-upload to authenticated users
Discovery Timeline
- 2026-05-12 - CVE-2026-42844 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42844
Vulnerability Analysis
The vulnerability resides in the Grav API endpoint /api/v1/blueprint-upload. This endpoint is intended for users holding the api.media.write capability and accepts blueprint file uploads. The endpoint does not adequately restrict the destination path or file content type. As a result, an authenticated low-privileged user can write arbitrary YAML files outside the media context.
By targeting the user/accounts/ directory, attackers create a new Grav user account through file write rather than the user management API. The crafted YAML defines an account with the api.super role. Grav loads this account on subsequent authentication, treating the attacker-controlled credentials as a legitimate administrator. The escalation path crosses a privilege boundary without invoking any authorization check on the role granted [CWE-269].
Root Cause
The root cause is improper privilege management combined with insufficient path and content validation on the blueprint-upload endpoint. The handler trusts the supplied filename and YAML payload, allowing it to be written into security-sensitive directories. Grav treats files under user/accounts/ as authoritative identity material, so any writable account YAML becomes a valid user record.
Attack Vector
The attack is network-reachable and requires only low-privileged authentication. The adversary authenticates with an account that has api.media.write, sends a crafted request to /api/v1/blueprint-upload referencing a target path under user/accounts/, and supplies YAML that declares api.super. The attacker then authenticates as the new account and issues administrative API calls. No user interaction is required.
No public proof-of-concept code is referenced in the advisory. See the GitHub Security Advisory GHSA-6xx2-m8wv-756h for vendor technical details.
Detection Methods for CVE-2026-42844
Indicators of Compromise
- Unexpected YAML files in the user/accounts/ directory with recent modification timestamps.
- Account YAML containing the api.super privilege that does not match provisioning records.
- HTTP requests to /api/v1/blueprint-upload originating from non-administrative API tokens.
- Successful authentication events for accounts that were not created through standard administrative workflows.
Detection Strategies
- Inspect web server and application logs for POST requests to /api/v1/blueprint-upload and correlate with the requesting user's privilege level.
- Alert on file creation events in user/accounts/ that are not preceded by an administrative session.
- Compare the current set of Grav accounts against a known-good inventory and flag additions with elevated roles.
Monitoring Recommendations
- Enable file integrity monitoring on the Grav user/accounts/ and user/config/ directories.
- Forward Grav application logs to a centralized log platform and retain authentication and API audit events.
- Track issuance and use of API tokens, especially those granting api.media.write.
How to Mitigate CVE-2026-42844
Immediate Actions Required
- Upgrade the Grav API package to version 1.0.0-beta.17 or later, which contains the official fix.
- Audit user/accounts/ for unauthorized YAML files and remove any account not created through legitimate processes.
- Rotate credentials and API tokens for all accounts that hold api.media.write or api.super privileges.
Patch Information
The vendor fixed CVE-2026-42844 in Grav API 1.0.0-beta.17. Upgrade instructions and the advisory text are available in the GitHub Security Advisory GHSA-6xx2-m8wv-756h.
Workarounds
- Restrict network access to the Grav API to trusted administrative networks until patching is complete.
- Revoke the api.media.write capability from all non-essential accounts.
- Block requests to /api/v1/blueprint-upload at a reverse proxy or web application firewall for unauthorized roles.
# Example nginx restriction blocking the vulnerable endpoint at the edge
location = /api/v1/blueprint-upload {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
