CVE-2026-42844
Grav: Low-privileged API users can create super-admin accounts via blueprint-upload
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full administrative compromise of the Grav API. This vulnerability is fixed in API 1.0.0-beta.17.
| CWE | CWE-434 CWE-269 |
| Vendor | getgrav |
| Product | grav |
| Published | May 12, 2026 |
| Last Updated | May 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for getgrav grav
Be the first to know when new unknown vulnerabilities affecting getgrav grav are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
getgrav / grav
2.0.0-beta.2