Authentication Bypass in Grav Login Plugin by Grav
CVE-2026-42613

9.4CRITICAL

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
11 May 2026

What is CVE-2026-42613?

CVE-2026-42613 is a significant security vulnerability related to the Grav Login Plugin for the Grav content management system, a widely-used file-based web platform designed for simplicity and flexibility in web development. This vulnerability resides in the Login::register() method, which fails to adequately validate user inputs during the registration process. Specifically, it allows an unauthenticated user to exploit this flaw by injecting unauthorized groups and access fields into the registration request. As a result, an attacker could self-register with elevated privileges, particularly those associated with an admin.super role, granting them substantial control over the system. If an organization does not patch this vulnerability, they may face grave security risks, including unauthorized policy modifications, data breaches, and potential takeover of their web environment.

Potential impact of CVE-2026-42613

  1. Unauthorized Access: The most immediate and concerning impact of this vulnerability is the potential for unauthorized access. Attackers can create accounts with administrative privileges, enabling them to manage and alter critical system settings without detection.

  2. Data Compromise: An attacker with admin-level access could access sensitive data stored on the platform, leading to potential data leaks, loss of confidentiality, and breaches of user privacy.

  3. System Integrity Threats: With administrative privileges, malicious actors could manipulate the integrity of the web platform, altering content, injecting malicious code, or even deploying further malware, which could compromise not only the affected organization but also its users.

Affected Version(s)

grav < 2.0.0-beta.2

References

CVSS V3.1

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.