CVE-2026-42844

HIGH

Grav: Low-privileged API users can create super-admin accounts via blueprint-upload

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-42844. PoCs published by dwisiswant0.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-42844, a vertical privilege escalation vulnerability in Grav CMS. The exploit leverages insufficient authorization checks in the API plugin's blueprint upload endpoint to create a super-admin account via a malicious YAML file.

Description

Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full administrative compromise of the Grav API. This vulnerability is fixed in API 1.0.0-beta.17.

Exploits (1)

github WORKING POC 1 stars

by dwisiswant0 · pythonpoc

https://github.com/dwisiswant0/neo-pocs/tree/master/2026/CVE-2026-42844

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-42844, a vertical privilege escalation vulnerability in Grav CMS. The exploit leverages insufficient authorization checks in the API plugin's blueprint upload endpoint to create a super-admin account via a malicious YAML file.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Grav CMS < 2.0.0-beta.4

Auth required

Prerequisites: Grav CMS with API plugin enabled · Authenticated API user with 'api.media.write' permission

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 14, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h

Scores

CVSS v3 8.8

EPSS 0.0005

EPSS Percentile 17.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-269 CWE-434

Status published

Products (3)

getgrav/grav 2.0.0 beta2

getgrav/grav 0 - 2.0.0-beta.4Packagist

getgrav/grav 2.0.0-beta.2

Published May 12, 2026

Tracked Since May 13, 2026