CVE-2026-59190
GetGrav · Grav Admin Plugin
The Grav Admin plugin is vulnerable to an authorization bypass, allowing authenticated users to perform unauthorized administrative actions through user-controlled keys.
Executive summary
An authorization bypass vulnerability in the Grav Admin plugin allows authenticated users to escalate privileges and perform unauthorized administrative tasks.
Vulnerability
This vulnerability (CWE-639) occurs in the administrative interface, where improper validation of user-controlled keys allows an attacker with low-level privileges to bypass authorization checks. This effectively grants the user administrative control over the platform's configuration and page management.
Business impact
Successful exploitation grants an attacker full control over the Grav CMS interface, enabling them to modify content, alter site configurations, or potentially inject malicious scripts. Given the CVSS score of 8.7, this is a critical threat to the integrity and availability of the web platform, as it permits unauthorized administrative actions.
Remediation
Immediate Action: Update the Grav Admin plugin to the latest version provided by the vendor to ensure proper authorization checks are enforced.
Proactive Monitoring: Review administrative audit logs for unauthorized configuration changes or page modifications that occur outside of expected maintenance windows.
Compensating Controls: Implement strict role-based access control (RBAC) and limit administrative access to the Grav dashboard to trusted IP addresses via a Web Application Firewall (WAF).
Exploitation status
Public Exploit Available: false
Analyst recommendation
The ability to bypass authorization in an administrative plugin is a severe security failure. Administrators must ensure the plugin is updated immediately to prevent privilege escalation attacks that could lead to full site takeover.