An unauthenticated attacker can gain full administrative control of a Grav CMS instance by exploiting a flaw in the user registration process.

This is an authentication and privilege escalation vulnerability in the Login::register() method. The method fails to validate input for group and access fields, allowing any unauthenticated user to register with admin.super privileges.

This vulnerability allows an attacker to take over the entire content management system, leading to total loss of control over the website's content, users, and configuration. The 9.4 CVSS score reflects the high risk of complete platform takeover.

Immediate Action: Upgrade to Grav version 2.0.0-beta.2 or later.

Proactive Monitoring: Review the user list for unauthorized accounts with administrative roles and audit registration logs for anomalous activity.

Compensating Controls: If upgrading is not immediately possible, disable user registration functionality.

Public Exploit Available: false

Immediate patching is essential. Organizations should update their Grav installation and conduct a thorough audit of their user base to ensure no unauthorized administrative accounts have been created.