Threat Advisory

Unauthorized YAML Upload Vulnerability Allows Administrative Rights in Grav CMS

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

CVE-2026-42844 with a CVSS score of 8.7 is a vulnerability in the Grav API plugin that allows low-privileged authenticated users to create super-admin accounts via blueprint-upload. Specifically, the vulnerability is located in the API plugin's blueprint upload flow. An attacker with low privileges can exploit this vulnerability by authenticating as a low-privileged API user, uploading a malicious account YAML file to the /api/v1/blueprint-upload endpoint, and then logging in as the newly created account with super-admin privileges. This results in full administrative compromise of the Grav API. The required attacker privilege is low, with access to the api.media.write permission. If exploited, this vulnerability could allow an attacker to gain unlimited administrative access to the Grav API, potentially leading to data theft, modification, or destruction, as well as a range of other malicious activities. No prerequisites or conditions are required for exploitation, aside from the low-privileged API user account.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

CVE-2026-42844 with a CVSS score of 8.7 is a vulnerability in the Grav API plugin that allows low-privileged authenticated users to create super-admin accounts via blueprint-upload. Specifically, the vulnerability is located in the API plugin's blueprint upload flow. An attacker with low privileges can exploit this vulnerability by authenticating as a low-privileged API user, uploading a malicious account YAML file to the /api/v1/blueprint-upload endpoint, and then logging in as the newly created account with super-admin privileges. This results in full administrative compromise of the Grav API. The required attacker privilege is low, with access to the api.media.write permission. If exploited, this vulnerability could allow an attacker to gain unlimited administrative access to the Grav API, potentially leading to data theft, modification, or destruction, as well as a range of other malicious activities. No prerequisites or conditions are required for exploitation, aside from the low-privileged API user account.[emaillocker id="1283"]

RECOMMENDATION:

We strongly recommend you update getgrav/grav to below version: https://github.com/advisories/GHSA-6xx2-m8wv-756h

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-6xx2-m8wv-756h

[/emaillocker]
crossmenu