Exfiltration Flaw in Grav CMS Versions Prior to 2.0.2
CVE-2026-61450

7.1HIGH

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-61450?

An exfiltration vulnerability exists in Grav CMS prior to version 2.0.2 due to a bypass in the Twig sandbox functionality. This flaw allows users with permissions, such as page authors or administrators, to access sensitive configuration secrets. While the sandbox replaces the 'config' variable with a redacted version, attackers can still leverage the allow-listed grav.offsetGet('config') to access the unfiltered Config object. This presents a danger as it enables the use of object-dumping filters like json_encode and print_r to serialize and retrieve the complete configuration tree, including critical information such as SMTP credentials, API keys, and database credentials. This issue represents an incomplete fix from a previous advisory and poses significant risks for users of the affected versions.

Affected Version(s)

grav 0 < 2.0.2

grav 2.0.2

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

iliaal
.