File-Based Web Platform Vulnerability in Grav by GetGrav
CVE-2026-55885
6.8MEDIUM
What is CVE-2026-55885?
Grav, a popular file-based web platform, contains a security flaw that allows authenticated administrators with backup permissions to download a ZIP archive of the complete Grav installation. This archive may include sensitive files such as 'user/accounts/admin.yaml', which contains the administrator's password hash, and 'user/config', which holds site configuration data. This vulnerability is initiated through a backup download endpoint, accessible solely via the session-static admin-nonce URL parameter. The issue was resolved in version 1.7.53, highlighting the need for users to upgrade to safeguard administration credentials and configurations.
Affected Version(s)
grav < 1.7.53
