PT-2026-37276 · Packagist · Getgrav/Grav
Published
2026-05-05
·
Updated
2026-05-05
·
CVE-2026-42610
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Summary
Information disclosure exists in
Grav CMS v1.8.0-beta.29. Despite previous security patches (notably in v1.8.0-beta.27/28) aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed.A low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the
grav['accounts'] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt.Affected version
Grav CMS:
v1.8.0-beta.29 (and earlier 1.8.x beta versions).Note: This vulnerability persists even after the vendor attempted to mitigate similar SSTI vectors in earlier beta releases.
Steps to Reproduce
-
Create a low-privileged account (MY CASE IS 'editor chen') with permissions limited to admin.login and basic page management (create, update, list). Ensure all administrative permissions (Configuration, User Accounts, ...) are explicitly Denied.
-
Login to the Admin panel using
editor chen. Navigate to Pages and edit theHomepage. -
Under the Advanced tab, ensure Process Twig is enabled .
-
In the Content tab, inject the following Twig payload designed to bypass the
isDangerousFunctionfilter by accessing the internal service container:
---
title: Information Disclosure Test
process:
twig: true
---
# Security Audit Results
- Admin Password Hash: {{ grav['accounts'].load('admin').get('hashed password') }}
- Security Salt: {{ grav.config.get('security.salt') }}- Click Save. And navigate to the public page (
http://localhost:8000/home). Page will render and display the administrator's Bcrypt hash and the system security salt.
PoC
---
title: Information Disclosure Test
process:
twig: true
---
# Security Audit Results
- Admin Password Hash: {{ grav['accounts'].load('admin').get('hashed password') }}
- Security Salt: {{ grav.config.get('security.salt') }}Impact
Attackers can obtain the password hashes of all registered users, including Super Administrators.
Extracted hashes can be subjected to offline brute-force or dictionary attacks (EX: USE Hashcat)
Video
Pls refer to the attached video
Maintainer note — fix applied (2026-04-24)
Fixed in Grav core on the
2.0 branch: commit d904efc33 — will ship in 2.0.0-beta.2.What changed: the HMAC key formerly stored as
security.salt in user/config/security.yaml has moved out of the Config tree into user/config/security-private.php. On upgrade, the existing salt value is migrated into the new file on first request (preserving CSRF nonces and sessions) and the key is scrubbed from both the live Config object and the on-disk YAML — so {{ grav.config.get('security.salt') }} from a sandboxed Twig template now returns null. The .php extension is blocked from web access by the default user/*.php htaccess rule; the file contains only a return statement, so direct PHP exec produces no output either.The PoC's password-hash half (
grav['accounts'].load('admin').get('hashed password')) was already covered by the new Twig content sandbox in 2.0.0-beta.2 — UserCollection::load is not in the sandbox allowlist — see the separate GHSA-58hj-46fw-rcfm advisory.Files:
system/src/Grav/Common/Security.php— newSecurity::getNonceKey()+ migration.system/src/Grav/Common/Utils.php—generateNonceStringnow uses the new key.system/src/Grav/Common/Service/SessionServiceProvider.php.system/src/Grav/Common/Config/Setup.php— removed auto-gen ofsecurity.salt.system/config/security.yaml— removed placeholdersalt:.tests/unit/Grav/Common/Security/NonceKeySecurityTest.php— migration + generation coverage.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Getgrav/Grav