Improper access control in Grav CMS - CVE-2026-42610

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the Twig environment accounts service when rendering user-supplied Twig content. A remote user can inject Twig expressions that access administrative user objects and configuration values to disclose sensitive information.

Exploitation requires the ability to edit page content with Twig processing enabled.

How to mitigate CVE-2026-42610

Sources

• https://github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4
• https://github.com/getgrav/grav/commit/d904efc33