Improper privilege management in Grav CMS - CVE-2026-42609
Published: May 5, 2026
Vulnerability identifier: #VU130085
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-42609
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Grav CMS
Affected software:
Grav CMS
Grav CMS
Detailed vulnerability description
The vulnerability allows a remote user to cause a denial of service on administrative functions and de-escalate privileges of an administrative account.
The vulnerability exists due to improper privilege management in the Grav Admin Panel user management module when handling user creation requests with an existing username. A remote user can submit a new user record using the username of an existing administrative account to cause a denial of service on administrative functions and de-escalate privileges of an administrative account.
Exploitation requires an account with permission to create other users.
How to mitigate CVE-2026-42609
Install security update from vendor's website.