CVE-2026-42844 is a high-severity improper privilege management vulnerability in getgrav/grav (composer), affecting versions < 2.0.0-beta.4. It is fixed in 2.0.0-beta.4.
Summary In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full administrative compromise of the Grav API. Details The vulnerability is located in the API plugin's blueprint upload flow: user/plugins/api/classes/Api/ApiRouter.php:261 user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:32-45 user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:102-114 user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:271-308 user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:407-417 user/plugins/api/classes/Api/Controllers/AuthController.php:41-55 The issue exists because /api/v1/blueprint-upload accepts caller-controlled destination and scope values and uses them to resolve the final filesystem write target. When the request uses: destination=self@: scope=users/anything The server resolves the write target to the shared account directory: The upload handler then writes the supplied file directly into that directory and does not block YAML account files. Because Grav accepts account YAML files and supports a plaintext password: field on first login, an attacker can create a fully functional administrator account with api.super. The required attacker privilege is low: PoC Step 1: Authenticate as the low-privileged API user Extract: Attachment: <img width="1480" height="825" alt="login-uploader" src="https://github.com/user-attachments/assets/5aeda840-4a37-4365-8e46-caec88066541" /> Step 2: Upload a malicious account YAML file Expected result: Attachment: <img width="1484" height="797" alt="upload" src="https://github.com/user-attachments/assets/0b24c03f-cac5-4b4d-840c-52ac0840969f" /> Step 3: Log in as the newly created account Expected result: Attachment: <img width="1494" height="830" alt="pwned-login" src="https://github.com/user-attachments/assets/7a1ab7fc-d3fb-4077-9b61-09cd947241fe" /> Step 4: Verify privileged API access Expected result: The request succeeds and returns system-level information. Attachment: <img width="1480" height="831" alt="system-info" src="https://github.com/user-attachments/assets/31677d61-3dbd-4ea6-9fbe-80799a628cc2" /> Impact This is an authenticated vertical privilege-escalation vulnerability. Any API user with basic media upload capability can escalate directly to a full API super administrator by planting a new account YAML file. Once api.super access is obtained, the attacker gains full control over the CMS management API and can: modify content alter configuration manage users install or update plugins/themes access system-level administration features In a real deployment, this level of control is sufficient for complete CMS compromise and may be chained into server-side code execution depending on enabled plugins, writable template paths, or package-management workflow. This issue was reproduced locally: the upload response returned user/accounts/pwned.yaml logging in as pwned succeeded the new account had super_admin = true privileged endpoints such as /api/v1/system/info were accessible
The application assigns, modifies, tracks, or checks privileges incorrectly, allowing a user to gain elevated access. Typical impact: privilege escalation beyond the intended level.
composer
getgrav/grav (< 2.0.0-beta.4)getgrav/grav → 2.0.0-beta.4 (composer)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-42844 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-42844 is reachable in your applications. Get a demo
Upgrade getgrav/grav to 2.0.0-beta.4 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-42844 is a high-severity improper privilege management vulnerability in getgrav/grav (composer), affecting versions < 2.0.0-beta.4. It is fixed in 2.0.0-beta.4. The application assigns, modifies, tracks, or checks privileges incorrectly, allowing a user to gain elevated access.
getgrav/grav (composer) versions < 2.0.0-beta.4 is affected.
Yes. CVE-2026-42844 is fixed in 2.0.0-beta.4. Upgrade to this version or later.
Whether CVE-2026-42844 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade getgrav/grav to 2.0.0-beta.4 or later.