CVE-2026-44738 Overview
CVE-2026-44738 is an information disclosure vulnerability in Grav, a file-based web platform. The flaw exists in the Twig sandbox allow-list configuration in versions prior to 2.0.0-rc.2. Any authenticated user holding the admin.pages role can invoke config.toArray() from within a page body. This call dumps the entire merged site configuration into the rendered HTML output. The exposed data includes plugin secrets such as SMTP passwords, AWS keys, OAuth client secrets, and API tokens. Administrator privileges are not required to trigger the disclosure. The issue is tracked under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor) and is fixed in Grav 2.0.0-rc.2.
Critical Impact
A low-privileged user with page editing rights can extract all plugin secrets, cloud credentials, and API tokens from a Grav site by rendering a single Twig expression.
Affected Products
- Grav versions prior to 2.0.0-rc.2
- Grav 2.0.0-beta1 through 2.0.0-beta4
- Grav 2.0.0-rc1
Discovery Timeline
- 2026-05-11 - CVE-2026-44738 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-44738
Vulnerability Analysis
Grav uses the Twig templating engine to render page content. To restrict what page authors can execute, Grav enforces a Twig sandbox that defines an allow-list of methods callable on exposed objects. The vulnerability arises because the config object's toArray() method is permitted by the sandbox allow-list. When a page author embeds this call inside a page body, Twig serializes the full merged configuration tree into the rendered output.
The merged configuration includes plugin settings loaded from YAML files across the site. Grav stores credentials for outbound services in these configuration files. Examples include SMTP authentication for the email plugin, AWS access keys for storage integrations, OAuth client secrets for login providers, and API tokens for third-party integrations. All of these values are returned by config.toArray() without filtering.
The scope is changed because a user limited to page editing can read secrets owned by other plugins and administrative subsystems. The attacker needs only the admin.pages role, which is commonly delegated to content editors.
Root Cause
The root cause is an overly permissive Twig sandbox policy. The allow-list does not distinguish between configuration accessors that return safe presentation data and accessors that return sensitive secrets. config.toArray() should have been excluded from the sandbox or filtered to remove secret keys before serialization.
Attack Vector
An attacker authenticates to the Grav admin interface with an account holding the admin.pages role. The attacker creates or edits a page and inserts a Twig expression that calls config.toArray() and renders the result. When the page is viewed, the response body contains the complete configuration dump. The attacker then harvests credentials from the rendered HTML and uses them to pivot to external services such as cloud providers, mail relays, or OAuth identity providers.
No code execution is required, and the attack leaves the underlying filesystem untouched. Refer to the GitHub Security Advisory GHSA-j274-39qw-32c9 for the vendor's technical description.
Detection Methods for CVE-2026-44738
Indicators of Compromise
- Page content or stored Twig templates containing references to config.toArray, config|json_encode, or iteration over the config object.
- Unusual edits to pages by accounts holding only the admin.pages role, especially edits that add Twig logic to otherwise static content.
- Rendered pages whose response bodies contain strings matching secret patterns such as smtp, aws_access_key, client_secret, or api_token.
- Outbound authentication failures or anomalous logins to integrated services (SMTP relays, AWS, OAuth providers) following a page edit event.
Detection Strategies
- Audit the Grav user/pages directory for Twig expressions that reference the config object and flag any instance of toArray.
- Review Grav admin audit logs for page create and update events performed by non-administrator accounts.
- Inspect web server access logs for requests to recently modified pages and correlate response sizes against historical baselines.
Monitoring Recommendations
- Enable verbose logging on the Grav admin plugin and forward events to a centralized log platform for correlation.
- Monitor outbound API calls from credentials referenced in Grav configuration files and alert on use from unexpected source addresses.
- Rotate and watch canary credentials placed inside Grav plugin configurations to detect exfiltration.
How to Mitigate CVE-2026-44738
Immediate Actions Required
- Upgrade Grav to version 2.0.0-rc.2 or later on all affected installations.
- Rotate every secret stored in Grav plugin configurations, including SMTP credentials, AWS keys, OAuth client secrets, and API tokens.
- Review all existing pages for Twig expressions that reference config and remove any unauthorized content.
- Audit which accounts hold the admin.pages role and revoke access from users who do not require page editing.
Patch Information
The vulnerability is fixed in Grav 2.0.0-rc.2. The fix removes config.toArray() from the Twig sandbox allow-list, preventing page-level Twig code from serializing the merged configuration. Patch details are documented in the GitHub Security Advisory GHSA-j274-39qw-32c9.
Workarounds
- Restrict the admin.pages role to fully trusted users until the upgrade is applied.
- Move sensitive plugin secrets out of Grav YAML configuration files and reference them through environment variables where supported.
- Place the Grav admin interface behind network access controls such as a VPN or IP allow-list to reduce the authenticated attack surface.
# Configuration example: upgrade Grav using the bundled CLI
bin/gpm selfupgrade -f
bin/gpm update
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
