Anhng1410

**Name of the Vulnerable Software and Affected Versions** Grav versions prior to 2.0.0-beta.2 **Description** A business logic issue in the Grav Admin Panel allows a low-privileged user with user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This occurs because the user management module fails to strictly validate if a username is already taken by a higher-privileged account, leading to the overwriting of the existing user configuration file. This results in a Denial of Service (DoS) on administrative functions and privilege de-escalation of the root account, effectively locking the administrator out of the system. **Recommendations** Update to version 2.0.0-beta.2. As a temporary workaround, restrict the `admin.users.create` permission to trusted administrators only.