Main Vulnerability Database Vulnerabilities #VU130052

Improper access control in Grav CMS - CVE-2025-66296

Published: May 5, 2026

Vulnerability identifier: #VU130052

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-66296

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Grav CMS

Affected software:
Grav CMS

Detailed vulnerability description

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper access control in the Grav Admin user creation functionality when creating user accounts. A remote user can create a new account using the same username as an existing administrator account and set new credentials to escalate privileges.

The issue can result in takeover of an existing administrator account.

How to mitigate CVE-2025-66296

Install security update from vendor's website.

Sources

https://github.com/getgrav/grav/security/advisories/GHSA-cjcp-qxvg-4rjm

Improper access control in Grav CMS - CVE-2025-66296

Detailed vulnerability description

How to mitigate CVE-2025-66296

Sources

Please verify you're human