Main Vulnerability Database Vulnerabilities #VU130057

Authorization bypass through user-controlled key in Grav CMS - CVE-2025-66306

Published: May 5, 2026

Vulnerability identifier: #VU130057

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-66306

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Grav CMS

Affected software:
Grav CMS

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the /admin/accounts/users/{username} endpoint when handling requests for another user's account details. A remote user can send a request for another user's account page to disclose sensitive information.

Sensitive data may still be present in the response source even when the application returns an HTTP 403 response.

How to mitigate CVE-2025-66306

Install security update from vendor's website.

Sources

https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwg

Authorization bypass through user-controlled key in Grav CMS - CVE-2025-66306

Detailed vulnerability description

How to mitigate CVE-2025-66306

Sources

Please verify you're human