External risk intelligence

Grav Login Plugin 2FA Bypass Allows Password-Only Authentication

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-62232

Grav is a web application that is commonly deployed as a public-facing website or content management system. The vulnerability exists within the login and authentication flow, which is a primary, internet-accessible interface for the application.

Authentication Bypass

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability within the Grav content management system that could allow an attacker to bypass two-factor authentication. The issue arises from how the system handles the regeneration of two-factor authentication secrets during a pending login. If an attacker knows a user's password, they may be able to exploit this flaw to replace the user's legitimate two-factor secret with their own, effectively turning two-factor authentication into a single-factor password login and gaining unauthorized access.

  • Flaw lets attackers bypass two-factor login.
  • Could lead to unauthorized account access.
  • Confirm if Grav is deployed and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker could gain unauthorized access to a Grav system by exploiting a flaw in the two-factor authentication process. If an attacker knows a victim's password, they can bypass the need for a valid two-factor code by initiating a process to regenerate the victim's authentication secret. This allows the attacker to set a new secret, generate a valid code for it, and subsequently log in as the victim, effectively reducing security to just the password.

  • Entry condition: Attacker knows victim's password.
  • Trigger point: Attacker calls task to regenerate 2FA secret.
  • Resulting risk: Complete account takeover.

Live Threat

Current exploitation, exposure, and threat context

An attacker who knows a victim's password could bypass two-factor authentication when the system is in a specific pending state. This could allow them to gain access to the affected system by replacing the victim's two-factor secret with their own, effectively turning two-factor authentication into single-factor password protection.

  • User account access.
  • Overwriting 2FA secrets via task.
  • Account takeover without 2FA.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the login plugin allows for a two-factor authentication bypass. The application owner is responsible for identifying affected instances and confirming reachability and business criticality. Coordination with the platform or infrastructure team is crucial for remediation planning.

  • Application owners should own the issue.
  • Verify login plugin's 2FA secret regeneration.
  • Plan remediation based on confirmed exposure.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Grav and how is it used?

Grav is a flexible, file-based content management system (CMS) that does not require a database. Developers and content creators often use it to build fast, lightweight websites. Because it is a web application designed for content management, it typically runs on a server where the login and administrative interfaces are accessible to site managers.

What does CWE-862 mean for CVE-2026-62232?

CWE-862 refers to 'Missing Authorization.' In the context of this CVE, it means the Grav login plugin fails to verify that a user is allowed to perform a specific action. Specifically, the system allows the 'regenerate2FASecret' task to run if a user exists, without checking if the person requesting the change is authorized to do so. This security oversight is what allows the bypass to occur.

How can an attacker trigger this 2FA bypass?

The attack requires the actor to already possess the victim's account password. With that, they can invoke the secret regeneration task during the pending TOTP challenge window. It is important to note that this trigger path requires knowledge of the password; simply interacting with the login page is not enough to overwrite the 2FA secret. Additionally, the attack succeeds without needing a CSRF nonce, which would normally protect such sensitive tasks.

Is my Grav installation at risk according to Halo Surface Signal?

Halo Surface Signal identifies Grav as a platform commonly deployed as a public-facing website. Because this vulnerability exists within the login and authentication flow—which is a primary, internet-accessible interface—any Grav instance reachable from the public web is considered at a higher level of interest. If your login page is accessible to the internet, it falls into the scope of this threat.

What should I do if I run Grav?

First, verify if your Grav version is earlier than 2.0.4. If it is, you are running an affected version. Because this flaw bypasses 2FA, application owners should prioritize checking their instance for this specific login plugin behavior. Coordinate with your technical team to plan for an update to the secure version. Until you can update, ensure that account passwords for your administrative users are strong and unique to prevent the initial access required to trigger this vulnerability.

References