CVE-2025-66296: Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover

December 2, 2025

A privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the same username as an existing administrator account, set a new password/email, and then log in as that administrator. This effectively allows privilege escalation from limited user-manager permissions to full administrator access.

References

github.com/advisories/GHSA-cjcp-qxvg-4rjm
github.com/getgrav/grav
github.com/getgrav/grav/commit/3462d94d575064601689b236508c316242e15741
github.com/getgrav/grav/security/advisories/GHSA-cjcp-qxvg-4rjm
nvd.nist.gov/vuln/detail/CVE-2025-66296

Code Behaviors & Features

Detect and mitigate CVE-2025-66296 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →