CVE-2026-59190

GetGrav · Grav Admin Plugin

The Grav Admin plugin is vulnerable to an authorization bypass, allowing authenticated users to perform unauthorized administrative actions through user-controlled keys.

Executive summary

An authorization bypass vulnerability in the Grav Admin plugin allows authenticated users to escalate privileges and perform unauthorized administrative tasks.

Vulnerability

This vulnerability (CWE-639) occurs in the administrative interface, where improper validation of user-controlled keys allows an attacker with low-level privileges to bypass authorization checks. This effectively grants the user administrative control over the platform's configuration and page management.

Business impact

Successful exploitation grants an attacker full control over the Grav CMS interface, enabling them to modify content, alter site configurations, or potentially inject malicious scripts. Given the CVSS score of 8.7, this is a critical threat to the integrity and availability of the web platform, as it permits unauthorized administrative actions.

Remediation

Immediate Action: Update the Grav Admin plugin to the latest version provided by the vendor to ensure proper authorization checks are enforced.

Proactive Monitoring: Review administrative audit logs for unauthorized configuration changes or page modifications that occur outside of expected maintenance windows.

Compensating Controls: Implement strict role-based access control (RBAC) and limit administrative access to the Grav dashboard to trusted IP addresses via a Web Application Firewall (WAF).

Exploitation status

Public Exploit Available: false

Analyst recommendation

The ability to bypass authorization in an administrative plugin is a severe security failure. Administrators must ensure the plugin is updated immediately to prevent privilege escalation attacks that could lead to full site takeover.