CVE-2026-42609

Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-beta.2

Description A business logic issue in the Grav Admin Panel allows a low-privileged user with user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This occurs because the user management module fails to strictly validate if a username is already taken by a higher-privileged account, leading to the overwriting of the existing user configuration file. This results in a Denial of Service (DoS) on administrative functions and privilege de-escalation of the root account, effectively locking the administrator out of the system.

Recommendations Update to version 2.0.0-beta.2. As a temporary workaround, restrict the admin.users.create permission to trusted administrators only.