CVE-2026-42613

Name of the Vulnerable Software and Affected Versions Grav version 1.8.0-beta.29 Login Plugin versions prior to 3.8.2

Description A missing server-side validation issue exists in the Login::register() function of the Login plugin. When user registration is enabled and the groups or access fields are included in the allowed fields configuration, an unauthenticated user can inject these variables into the registration request. Because the Login::validateField() function does not validate the groups and access parameters, an attacker can self-register with admin.super privileges. This privilege escalation can lead to full administrative panel access and potentially remote code execution (RCE).

Recommendations Update Login Plugin to version 3.8.2 or later. As a temporary workaround, remove groups and access from the user registration.fields list in the configuration to prevent unauthenticated users from injecting privilege levels.