SB2026050590 - Multiple vulnerabilities in Grav CMS

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper access control (CVE-ID: CVE-2026-42843)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in UsersController::update when handling PATCH requests to update a user's own profile. A remote user can send a specially crafted PATCH request modifying the access field to escalate privileges.

Exploitation requires an authenticated account with the api.access permission.

2) Improper access control (CVE-ID: CVE-2026-42844)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in the /api/v1/blueprint-upload endpoint when handling blueprint upload requests with caller-controlled destination and scope values. A remote user can upload a crafted YAML account file into user/accounts/ to escalate privileges.

Exploitation requires an authenticated API account with the api.media.write permission.

Remediation

Install update from vendor's website.

References

• https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736
• https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h