CVE-2026-59190 in Grav
Summary
by MITRE • 07/10/2026
grav-plugin-admin is an HTML user interface that provides a way to configure Grav and create and modify pages. In 1.10.52 and earlier, an authenticated attacker with admin.users permission can change the password of any user account, including the super administrator, by sending a direct POST request to /admin/user/{username}?task=save with data[password] because saveUser authorizes the caller's user-management permission but does not verify whether the caller may edit the target user. This issue is expected to be fixed in version 1.10.53.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
This vulnerability exists within the grav-plugin-admin plugin, which serves as the administrative web interface for the Grav content management system. The flaw represents a critical authorization bypass that allows authenticated users with minimal privileges to escalate their access and modify any user account within the system. The vulnerability specifically affects versions 1.10.52 and earlier, creating a persistent security risk for installations that have not been updated to the patched version 1.10.53.
The technical implementation of this vulnerability stems from improper access control validation within the saveUser function. When an authenticated user with admin.users permission attempts to modify a user account through the direct POST endpoint /admin/user/{username}?task=save, the system only validates that the requesting user possesses sufficient privileges for user management operations. However, it fails to verify whether the requesting user has explicit authorization to modify the target user account, creating a privilege escalation path. This oversight allows attackers to craft malicious requests targeting any username within the system, including the super administrator account, effectively bypassing the intended access controls.
The operational impact of this vulnerability is severe and far-reaching, as it enables an authenticated attacker to completely compromise user accounts across the entire system. The ability to change passwords for any user, including the highest privileged accounts, provides attackers with persistent access to administrative functions and potentially full system control. This vulnerability directly violates fundamental security principles of least privilege and role-based access control, making it particularly dangerous in multi-user environments where administrators may have varying levels of clearance. Organizations relying on Grav's admin interface could face complete system compromise if this vulnerability remains unpatched.
The vulnerability maps to CWE-285: "Improper Authorization" which specifically addresses situations where systems fail to properly validate authorization for operations. From an attack perspective, this issue aligns with ATT&CK technique T1078.004: "Valid Accounts: Cloud Accounts" and T1531: "Account Access Removal", as it enables unauthorized account modification and potential privilege escalation. The flaw demonstrates a classic case of insufficient authorization checks where the system assumes that any user with user management permissions can modify any target user, ignoring the principle that users should only be able to modify accounts within their authorized scope. Organizations should immediately implement the available patch for version 1.10.53 and conduct thorough security audits of all administrative interfaces to identify similar authorization bypass vulnerabilities. Additionally, implementing proper audit logging for user modification activities will help detect unauthorized account changes even before such patches are applied, providing defense-in-depth against similar future threats.