VYPR
High severity8.1GHSA Advisory· Published May 11, 2026· Updated May 14, 2026

CVE-2026-42609

CVE-2026-42609

Description

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. This vulnerability is fixed in 2.0.0-beta.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
getgrav/gravPackagist
< 2.0.0-beta.22.0.0-beta.2

Affected products

4
  • Getgrav/GravGHSA3 versions
    < 2.0.0-beta.2+ 2 more
    • (no CPE)range: < 2.0.0-beta.2
    • cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*range: <=1.8.0
    • cpe:2.3:a:getgrav:grav:2.0.0:beta1:*:*:*:*:*:*
  • ghsa-coords
    Range: < 2.0.0-beta.2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.