Vulnerability in Grav File-based Web Platform Affects User Permissions
CVE-2026-42610

6.5MEDIUM

Key Information:

Vendor: Getgrav
Status: Grav
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-42610?

Grav, a popular file-based web platform, prior to version 2.0.0-beta.2, contains a vulnerability that allows low-privileged users, such as content editors with limited permissions, to bypass the Twig sandbox restrictions. By leveraging the grav['accounts'] service, an attacker can programmatically access administrative user objects, enabling the extraction of sensitive data, including Bcrypt password hashes and security salts. This significant oversight puts user data at risk, making timely upgrades crucial to maintain security.

Affected Version(s)

grav < 2.0.0-beta.2

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 29, 2026

CVE-2026-42610 Data

JSON

Getgrav

What is CVE-2026-42610?

Affected Version(s)

References

CVSS V3.1

Timeline