External risk intelligence

Attacker can gain admin control of Grav websites through registration.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-42613

An attacker can gain full administrative control of Grav websites by exploiting a flaw in the registration process. This allows anyone to become an administrator, putting your website's security at risk.

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-42613

Grav is a web platform typically deployed as an internet-facing application. The vulnerability exists within the user registration function, a common feature for web sites and portals. Instances with this feature enabled are directly reachable by unauthorized users over the public internet, fitting the criteria for a commonly deployed, internet-facing web application.

Horizon Alert

Summary of the vulnerability and why it matters

An unauthenticated user could gain administrative control over the Grav web platform by exploiting a weakness in the Login plugin's registration process. This allows them to bypass normal security checks and assign themselves the highest level of privileges. Teams should pay attention because this could allow unauthorized individuals to take over their website.

Anyone can become an administrator.
This affects Grav websites with registration enabled.
An attacker can gain full control.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this flaw by sending a crafted POST request to the registration endpoint. If registration is enabled and the attacker-controlled fields are configured as allowed, they can inject fields to grant themselves administrative privileges. This allows them to fully compromise the Grav instance.

Registration enabled is required.
Target the Login plugin's registration.
Inject admin privileges via POST data.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Grav's login plugin allows unauthenticated users to gain admin privileges if registration is enabled and configured to accept specific fields. This type of vulnerability is attractive to attackers as it offers a direct path to high-level access on a web platform without needing prior authentication. The fact that it's a critical severity, network-exploitable flaw on a web platform increases its appeal.

Exploitable remotely over network.
Fixed version released recently.
KEV listed status is unknown.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking any unauthenticated registration attempts and immediately upgrade the Login plugin to version 2.0.0-beta.2 to address the critical privilege escalation vulnerability. If upgrading is not immediately feasible, disable the user registration feature entirely to prevent exploitation.

Upgrade Login plugin to 2.0.0-beta.2.
Disable user registration if upgrade is delayed.
Monitor for unauthorized admin account creation.

Frequently asked questions

What is Grav and what is its primary function?

Grav is an open-source, flat-file content management system (CMS) that operates without requiring a database. It is designed for building various types of websites, including personal blogs, portfolios, small business sites, and documentation platforms, with a focus on speed and adaptability.

What weaknesses are identified in CVE-2026-42613?

CVE-2026-42613 involves two weaknesses: CWE-20 (Improper Input Validation) and CWE-862 (Missing Authorization). This means that the system did not adequately validate user-provided data during registration and failed to properly check if the user had permission to set specific privileges.

How can an unauthenticated attacker exploit CVE-2026-42613?

An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request to the registration endpoint of the Login plugin. If user registration is enabled and the fields for groups or access are configured to be allowed, the attacker can inject these fields to self-register with administrative super privileges.

What is the relevance of CVE-2026-42613 for internet-facing applications?

Grav is a web platform often deployed as an internet-facing application. The vulnerability lies within the user registration function, which is commonly accessible to the public internet, making it a direct target for unauthorized users seeking to gain high-level access to the platform.

What are the recommended actions to mitigate CVE-2026-42613?

To mitigate this vulnerability, it is recommended to immediately upgrade the Grav Login plugin to version 2.0.0-beta.2. If an upgrade cannot be performed promptly, the user registration feature should be disabled entirely to prevent exploitation. Monitoring for any unauthorized administrative account creation is also advised.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.