CVE-2026-7317: Grav has Insecure Deserialization in File Cache
(updated )
Insecure Deserialization in File Cache
- Severity: High
- CWE: CWE-502
- Location:
system/src/Grav/Framework/Cache/Adapter/FileCache.php - Sink:
unserialize($value, ['allowed_classes' => true])
Affected version(s)
- Affected:
>= 1.7.44and<= 1.7.49.5(verified in current codebase and changelog-covered releases). - Fixed: No upstream fix identified in the reviewed branch at the time of analysis.
- Notes: Earlier
1.7.xreleases may also be affected, but were not fully back-traced in this review.
Notes
allowed_classes => true allows object instantiation and does not constrain classes.
PoC (Primitive Demonstration)
Preconditions
- Local PHP runtime.
- Goal is to validate the deserialization primitive used in cache retrieval.
Steps
php -r '
class CacheWakeup { public function __wakeup(){ file_put_contents("/tmp/grav_filecache_poc.txt", "wakeup"); } }
$payload = serialize(new CacheWakeup());
unserialize($payload, ["allowed_classes" => true]);
echo file_exists("/tmp/grav_filecache_poc.txt") ? "FILECACHE_UNSERIALIZE_TRIGGERED\n" : "FILECACHE_UNSERIALIZE_NOT_TRIGGERED\n";
'
Expected Result
- Output contains:
FILECACHE_UNSERIALIZE_TRIGGERED.
Interpretation
This reproduces the same unsafe primitive used by FileCache::doGet():
unserialize($value, ['allowed_classes' => true]).
If cache files are attacker-tampered, object magic methods may execute.
Exploit Preconditions
- Cache file poisoning/tampering capability.
Recommendation
- Avoid object deserialization in cache payloads.
- Use non-object formats and integrity protection for cache files.
Maintainer note — fix applied (2026-04-24)
Fixed in Grav core on the 2.0 branch: commit c66dfeb5f — will ship in 2.0.0-beta.2.
What changed: Framework\Cache\Adapter\FileCache now HMAC-signs every cache payload with Security::getNonceKey() on write, and verifies the HMAC on read. Tampered, forged, or pre-upgrade files are treated as cache misses and unlinked instead of being unserialized. The on-disk format is now versioned:
v2
<expires>
<key>
<hmac-hex>
<serialized>
Existing caches rebuild transparently on first read. Note that Framework\Cache\Adapter\FileCache isn’t wired into Grav’s main cache path — Symfony’s FilesystemAdapter is — but the class is reachable by plugin and downstream consumers, so the hardening applies defensively.
References
- github.com/advisories/GHSA-gwfr-jfjf-92vv
- github.com/devsamuelsantiago/grav-cms-filecache-object-injection
- github.com/getgrav/grav
- github.com/getgrav/grav/commit/5a12f9be8314682c8713e569e330f11805d0a663
- github.com/getgrav/grav/commit/c66dfeb5f
- github.com/getgrav/grav/security/advisories/GHSA-gwfr-jfjf-92vv
- nvd.nist.gov/vuln/detail/CVE-2026-7317
- vuldb.com/submit/798732
- vuldb.com/vuln/359965
- vuldb.com/vuln/359965/cti
Code Behaviors & Features
Detect and mitigate CVE-2026-7317 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →