Grav: Twig sandbox allows editor-role users to exfiltrate all plugin...

7.7 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration — including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) — into the rendered HTML. No administrator privileges are required. This vulnerability is fixed in 2.0.0-rc.2.

Basic Information

ID CVE-2026-44738

Source GitHub_M

Published May 11, 2026 at 15:47

Affected Product

Vendor getgrav

Product grav

Version < 2.0.0-rc.2

Affected Versions getgrav grav < 2.0.0-rc.2

CWE Classification

CWE-200

References

github.com /getgrav/grav/security/advisories/GHSA-j274-39qw-32c9

{
    "lastseen": "",
    "description": "Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration \u2014 including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) \u2014 into the rendered HTML. No administrator privileges are required. This vulnerability is fixed in 2.0.0-rc.2.",
    "published": "2026-05-11T15:47:46.778Z",
    "modified": "2026-05-11T15:47:46.778Z",
    "type": "cve",
    "title": "Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()",
    "source": "GitHub_M",
    "references": "https://github.com/getgrav/grav/security/advisories/GHSA-j274-39qw-32c9",
    "id": "CVE-2026-44738",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "getgrav grav < 2.0.0-rc.2",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "grav",
    "version": "< 2.0.0-rc.2",
    "vendor": "getgrav",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()_CVE-2026-44738