CVE-2026-42609 PUBLISHED

Grav: Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic

Assigner: GitHub_M
Reserved: 29.04.2026 Published: 11.05.2026 Updated: 11.05.2026

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. This vulnerability is fixed in 2.0.0-beta.2.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVSS Score: 8.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	getgrav
Product	grav
Versions	Version < 2.0.0-beta.2 is affected

References

Problem Types

CWE-269: Improper Privilege Management CWE
CWE-285: Improper Authorization CWE
CWE-639: Authorization Bypass Through User-Controlled Key CWE
CWE-837: Improper Enforcement of a Single, Unique Action CWE