CVE-2026-62236 in gravinfo

Summary

by MITRE • 07/17/2026

grav-plugin-login before 3.8.11 contains a cross-site request forgery (CSRF) vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core dispatches the task from the GET 'task:' URI parameter and the default session cookie is SameSite=Lax, an attacker can lure a logged-in victim to an off-site page that performs a top-level GET navigation, rotating the victim's TOTP secret so their enrolled authenticator no longer matches the server, effectively forcing 2FA re-enrollment. Sites configured with session.samesite: Strict are not affected.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/17/2026

This cross-site request forgery vulnerability exists within the grav-plugin-login plugin version 3.8.11 and earlier, specifically affecting the login.regenerate2FASecret frontend task functionality. The flaw stems from inadequate anti-CSRF protection mechanisms that fail to validate the authenticity of requests targeting the TOTP secret regeneration endpoint. When a user performs a GET request containing the task parameter, the system processes the request without verifying the presence of a valid anti-CSRF token or performing origin/referer validation checks. This weakness allows attackers to manipulate authenticated sessions through malicious web pages that trigger unintended actions on behalf of logged-in users.

The technical implementation of this vulnerability leverages the default SameSite=Lax session cookie configuration in Grav core, which permits cross-site requests initiated by top-level navigation from external domains. Attackers can construct malicious web pages that contain hidden iframes or direct navigation to the vulnerable endpoint, thereby executing the TOTP secret regeneration process without user consent. The attack requires only a logged-in victim session, as the system does not enforce proper CSRF protection mechanisms for this specific task handler. This creates a scenario where legitimate authenticated users become victims of unauthorized actions that compromise their two-factor authentication security posture.

The operational impact of this vulnerability extends beyond simple session manipulation to fundamentally undermine the security of user accounts that rely on two-factor authentication. When an attacker successfully regenerates a victim's TOTP secret, they effectively sever the connection between the user's authenticator application and the server, forcing users to undergo time-consuming re-enrollment processes. This creates both immediate security risks by potentially allowing unauthorized access and long-term operational costs through user support requests and service disruptions. The vulnerability is particularly dangerous because it can be executed silently without user awareness, making detection difficult and potentially enabling credential theft or account takeover scenarios.

Organizations running Grav installations with affected plugin versions face significant security implications that require immediate attention to prevent potential exploitation. The recommended mitigation strategy involves upgrading to grav-plugin-login version 3.8.11 or later, which implements proper anti-CSRF protections for the vulnerable task endpoint. Additionally, administrators should consider implementing stricter session cookie policies by configuring session.samesite: Strict in their Grav configuration files, which would prevent this specific attack vector from succeeding even if other mitigations are not fully implemented. Security teams should also monitor for potential exploitation attempts through web application firewall rules that can detect suspicious patterns in task parameter usage.

This vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in software systems, and represents a classic example of insufficient anti-CSRF protection mechanisms. The attack pattern follows the typical STRIDE threat modeling approach where an attacker can perform unauthorized operations through manipulated requests that leverage existing authenticated sessions. From an ATT&CK perspective, this vulnerability maps to techniques involving privilege escalation and credential access through session manipulation, potentially enabling further attacks such as account takeover or information disclosure. Organizations should also consider implementing additional security controls including multi-factor authentication enforcement, regular security audits of third-party plugins, and network-level monitoring for suspicious patterns related to task parameter usage in web applications.

The broader implications of this vulnerability highlight the critical importance of proper session management and CSRF protection in web applications, particularly those handling sensitive authentication functions. System administrators should conduct comprehensive assessments of their Grav installations to identify all potentially affected plugins and ensure that security updates are applied promptly. The vulnerability demonstrates how seemingly minor implementation flaws in authentication systems can create significant security risks that affect user trust and organizational security posture, emphasizing the need for robust security testing practices including automated scanning and manual penetration testing of authentication flows.

Responsible

VulnCheck

Reservation

07/13/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!