CVE-2026-42844

Name of the Vulnerable Software and Affected Versions Grav version 2.0.0-beta.2

Description A low-privileged authenticated API user with api.media.write permissions can achieve full administrative compromise of the Grav API. The issue exists in the API plugin's blueprint upload flow because the endpoint "/api/v1/blueprint-upload" accepts caller-controlled destination and scope values to resolve the filesystem write target. By using destination=self@: and scope=users/anything, an attacker can write an arbitrary YAML file into the user/accounts/ directory. Since the system accepts account YAML files and supports plaintext passwords on first login, this allows the creation of a new account with api.super privileges, leading to vertical privilege escalation.

Recommendations Update the API to version 1.0.0-beta.17. As a temporary workaround, restrict access to the "/api/v1/blueprint-upload" endpoint or disable the api.media.write permission for untrusted users.