Cyber Resilience

CVE-2026-42609

HighPublic PoC

Published: 11 May 2026

Published
11 May 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0046 36.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42609 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Getgrav Grav. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user…

more

with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. This vulnerability is fixed in 2.0.0-beta.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Logic flaw enables authenticated low-priv user to overwrite admin accounts, directly facilitating privilege escalation (T1068) and unauthorized account modification (T1098).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66297Same product: Getgrav Grav
CVE-2025-66301Same product: Getgrav Grav
CVE-2025-66299Same product: Getgrav Grav
CVE-2025-46199Same product: Getgrav Grav
CVE-2026-42611Same product: Getgrav Grav
CVE-2025-66295Same product: Getgrav Grav
CVE-2026-42608Same product: Getgrav Grav
CVE-2025-66294Same product: Getgrav Grav
CVE-2026-42612Same product: Getgrav Grav
CVE-2021-47812Same product: Getgrav Grav

Affected Assets

getgrav
grav
2.0.0 · ≤ 1.8.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-285 CWE-269

Documented procedures facilitate correct implementation and ongoing management of authorization decisions.

addresses: CWE-285 CWE-269

Periodic reviews identify and correct flaws in authorization decisions or enforcement.

addresses: CWE-285 CWE-269

Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.

addresses: CWE-285 CWE-639

The control mandates authorization decisions for each access request, reducing the ability to exploit improper authorization weaknesses.

addresses: CWE-285 CWE-269

Ensures authorization decisions are always performed by a complete and analyzable reference monitor.

addresses: CWE-285 CWE-639

The control requires checking and applying authorization decisions per policy, preventing improper authorization.

addresses: CWE-269 CWE-285

By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.

addresses: CWE-269 CWE-285

Implements core proper privilege management by restricting to only required rights.

References