Business Logic Vulnerability in Grav Admin Panel Affecting Grav Web Platform
CVE-2026-42609

8.1HIGH

Key Information:

Vendor

Getgrav

Status
Grav
Vendor
CVE Published:
11 May 2026

What is CVE-2026-42609?

In Grav, prior to version 2.0.0-beta.2, a business logic vulnerability exists within the Admin Panel. This flaw permits a low-privileged user, granted only user creation permissions, to overwrite existing user accounts, including the primary administrator. When a new user attempts to register with a username already in use, instead of alerting the user, the platform updates the existing account's metadata and permissions. This oversight creates a pathway to potential Denial of Service (DoS) on administrative functionalities and facilitates the Privilege De-escalation of the root account, undermining the security integrity of the platform. The issue is resolved in version 2.0.0-beta.2.

Affected Version(s)

grav < 2.0.0-beta.2

References

https://github.com/getgrav/grav/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/getgrav/grav/commit/5a12f9be8314682c87...
x_refsource_MISC
https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.