Exfiltration Flaw in Grav CMS Versions Prior to 2.0.2
CVE-2026-61450
What is CVE-2026-61450?
An exfiltration vulnerability exists in Grav CMS prior to version 2.0.2 due to a bypass in the Twig sandbox functionality. This flaw allows users with permissions, such as page authors or administrators, to access sensitive configuration secrets. While the sandbox replaces the 'config' variable with a redacted version, attackers can still leverage the allow-listed grav.offsetGet('config') to access the unfiltered Config object. This presents a danger as it enables the use of object-dumping filters like json_encode and print_r to serialize and retrieve the complete configuration tree, including critical information such as SMTP credentials, API keys, and database credentials. This issue represents an incomplete fix from a previous advisory and poses significant risks for users of the affected versions.
Affected Version(s)
grav 0 < 2.0.2
grav 2.0.2
