CVE-2026-62234 in Grav
Summary
by MITRE • 07/17/2026
Grav before 2.0.4 fails to restrict cURL protocols in webhook dispatch, allowing authenticated users with api.webhooks.write permission to create webhooks with file://, dict://, or gopher:// URLs. Attackers can trigger webhook events to read local files, access process information, or pivot to internal services via unrestricted protocol handlers.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability in Grav versions prior to 2.0.4 represents a critical security flaw that stems from inadequate input validation within the webhook dispatch mechanism. This weakness allows authenticated users possessing the api.webhooks.write permission to manipulate webhook configurations by specifying malicious cURL protocols such as file://, dict://, or gopher://. The root cause lies in the application's failure to properly sanitize and restrict the protocol schemes accepted during webhook creation, creating an attack surface that directly violates secure coding principles and industry standards. This issue aligns with CWE-20, which addresses improper input validation, and specifically manifests as a protocol handler vulnerability that enables unauthorized data access and potential lateral movement within network environments.
The technical implementation of this vulnerability exploits the underlying cURL library functionality that Grav utilizes for webhook communication. When attackers craft webhook payloads using restricted protocols, they can leverage these handlers to execute unintended operations on the server hosting the Grav application. The file:// protocol allows direct access to local filesystem resources, enabling attackers to read sensitive configuration files, user data, or system information. The dict:// and gopher:// protocols provide additional attack vectors that can be used to access internal services or retrieve process information through network protocol interactions. These unrestricted protocol handlers essentially transform the webhook functionality from a legitimate communication mechanism into a potential reconnaissance and exploitation tool.
The operational impact of this vulnerability extends beyond simple information disclosure, creating significant risk for organizations relying on Grav for content management or web application hosting. Attackers with minimal privileges can escalate their access to sensitive system resources, potentially leading to full system compromise through the ability to read local files containing database credentials, configuration settings, or other confidential data. The vulnerability also enables internal network reconnaissance by allowing attackers to pivot to other services running on the same host or accessible through the compromised server. This capability particularly threatens environments where Grav instances are deployed in shared hosting scenarios or where the application has access to internal resources that should normally be restricted from external access.
Organizations should immediately implement mitigations including updating to Grav version 2.0.4 or later, which contains proper protocol restriction mechanisms. Network-level controls such as firewall rules that block outbound connections to internal services can provide additional defense in depth. The implementation of strict input validation and protocol whitelisting for webhook configurations aligns with ATT&CK technique T1071.004, which covers application layer protocol usage for command and control communications. Administrators should also review user permissions and implement the principle of least privilege to minimize the potential impact of compromised accounts with webhooks.write permissions. Regular security assessments and monitoring of webhook activity can help detect anomalous behavior that may indicate exploitation attempts, particularly when unusual protocols or file access patterns are observed in system logs.