Authentication Bypass in Grav Login Plugin by Grav
CVE-2026-42613
What is CVE-2026-42613?
CVE-2026-42613 is a significant security vulnerability related to the Grav Login Plugin for the Grav content management system, a widely-used file-based web platform designed for simplicity and flexibility in web development. This vulnerability resides in the Login::register() method, which fails to adequately validate user inputs during the registration process. Specifically, it allows an unauthenticated user to exploit this flaw by injecting unauthorized groups and access fields into the registration request. As a result, an attacker could self-register with elevated privileges, particularly those associated with an admin.super role, granting them substantial control over the system. If an organization does not patch this vulnerability, they may face grave security risks, including unauthorized policy modifications, data breaches, and potential takeover of their web environment.
Potential impact of CVE-2026-42613
-
Unauthorized Access: The most immediate and concerning impact of this vulnerability is the potential for unauthorized access. Attackers can create accounts with administrative privileges, enabling them to manage and alter critical system settings without detection.
-
Data Compromise: An attacker with admin-level access could access sensitive data stored on the platform, leading to potential data leaks, loss of confidentiality, and breaches of user privacy.
-
System Integrity Threats: With administrative privileges, malicious actors could manipulate the integrity of the web platform, altering content, injecting malicious code, or even deploying further malware, which could compromise not only the affected organization but also its users.
Affected Version(s)
grav < 2.0.0-beta.2
