CVE-2026-55885 in Grav
Summary
by MITRE • 07/10/2026
Grav is a file-based Web platform. Prior to 1.7.53, an authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including user/accounts/admin.yaml with the administrator password hash and user/config with site configuration, through the backup download endpoint protected only by the session-static admin-nonce URL parameter. This issue is reported as fixed in version 1.7.53.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability in Grav versions prior to 1.7.53 represents a critical access control flaw that allows authenticated administrators with backup permissions to escalate their privileges and gain unauthorized access to sensitive system information. This weakness stems from inadequate authorization checks within the backup download endpoint, which relies solely on a session-static admin-nonce URL parameter for protection rather than implementing proper authentication verification mechanisms. The vulnerability affects the core security model of the platform by permitting unauthorized data extraction through what should be a controlled administrative function.
The technical implementation of this flaw involves the backup download functionality failing to validate that the requesting user possesses sufficient privileges to access the complete system archive. The admin-nonce parameter, while providing some level of protection against cross-site request forgery attacks, does not adequately verify the authenticity of the administrator's intent or credentials. Attackers with merely backup permissions can exploit this weakness by crafting malicious requests to the backup endpoint and obtaining ZIP archives containing the entire Grav installation root directory structure. This exposes critical configuration files including user/accounts/admin.yaml which contains the administrator password hash and user/config directories with site configuration details.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with comprehensive system introspection capabilities that could facilitate further attacks. The exposed administrator password hash enables offline password cracking attempts using tools like john the ripper or hashcat, potentially leading to complete system compromise if weak passwords are used. Additionally, the site configuration files may contain sensitive information such as database connection strings, third-party API keys, or other credentials that could be leveraged for lateral movement within network environments. The vulnerability essentially transforms a limited backup functionality into a full system reconnaissance and exploitation tool.
Organizations using affected Grav versions should immediately implement mitigations including upgrading to version 1.7.53 or later, which addresses this issue through enhanced authentication verification mechanisms. Security administrators should also review and restrict backup permissions to only the most trusted users within their organization, while monitoring for any suspicious backup download activities in system logs. The vulnerability aligns with CWE-284 Access Control Issues, specifically focusing on insufficient access control mechanisms that allow unauthorized data extraction. From an ATT&CK perspective, this weakness maps to T1213 Data from Information Repositories and T1566 Phishing, as it enables attackers to gather intelligence for more sophisticated social engineering campaigns targeting system administrators.
The remediation process requires not only updating the software but also implementing comprehensive access control policies that enforce the principle of least privilege. Administrators should conduct thorough audits of backup permissions across all Grav installations and ensure that only essential personnel maintain these capabilities. Network monitoring solutions should be configured to detect unusual patterns in backup download requests, particularly those originating from unexpected IP addresses or occurring outside normal business hours. The fix implemented in version 1.7.53 demonstrates proper authorization enforcement by validating user credentials against the current session before permitting access to system archives, thereby preventing the escalation of privileges through manipulated nonce parameters and ensuring that administrative functions remain properly restricted to authorized personnel only.