CVE-2026-42610: Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass

May 5, 2026

Information disclosure exists in Grav CMS v1.8.0-beta.29. Despite previous security patches (notably in v1.8.0-beta.27/28) aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed.

A low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing the grav['accounts'] service. Attacker can programmatically load administrative user objects and extract sensitive data, including Bcrypt password hashes and the security salt.

References

github.com/advisories/GHSA-3f29-pqwf-v4j4
github.com/getgrav/grav
github.com/getgrav/grav/commit/c66dfeb5ff679a1667678c6335eb9ff3255dfc47
github.com/getgrav/grav/security/advisories/GHSA-3f29-pqwf-v4j4
nvd.nist.gov/vuln/detail/CVE-2026-42610

Code Behaviors & Features

Detect and mitigate CVE-2026-42610 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →