CVE-2025-66296
📋 TL;DR
A privilege escalation vulnerability in Grav's Admin plugin allows users with create-user permissions to overwrite administrator accounts by creating new users with identical usernames. This enables attackers with limited user management access to gain full administrative control. All Grav installations using affected Admin plugin versions are vulnerable.
💻 Affected Systems
- Grav CMS with Admin plugin
📦 What is this software?
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Grav instance, allowing attackers to modify content, install malicious plugins, access sensitive data, and potentially pivot to other systems.
Likely Case
Unauthorized administrative access leading to website defacement, data theft, or installation of backdoors.
If Mitigated
Limited impact if strict access controls limit who has create-user permissions and regular monitoring detects unusual account creation.
🎯 Exploit Status
Exploitation requires authenticated access with user creation permissions. The attack is straightforward - create a user with an existing admin username and set new credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.0-beta.27
Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-cjcp-qxvg-4rjm
Restart Required: No
Instructions:
1. Backup your Grav installation. 2. Update Grav to version 1.8.0-beta.27 or later via the Admin panel or manually. 3. Verify the update completed successfully. 4. Review user accounts for any suspicious changes.
🔧 Temporary Workarounds
Restrict User Creation Permissions
allTemporarily remove or restrict 'create user' permissions from non-administrative accounts until patching is complete.
Edit user permissions in Grav Admin panel: Users → Permissions → Remove 'create user' from non-admin accounts
🧯 If You Can't Patch
- Immediately audit all user accounts for duplicate usernames and suspicious account modifications
- Implement strict access controls and monitoring for user creation activities
🔍 How to Verify
Check if Vulnerable:
Check Grav version via Admin panel or run: php bin/grav version. If version is below 1.8.0-beta.27, you are vulnerable.Check Version:
php bin/grav versionVerify Fix Applied:
After updating, verify version is 1.8.0-beta.27 or higher and test that creating a user with an existing admin username now fails with appropriate error.📡 Detection & Monitoring
Log Indicators:
- Multiple user creation attempts with existing usernames
- User account modifications from non-admin accounts
- Successful login from newly created admin accounts
Network Indicators:
- Unusual POST requests to /admin/users/create endpoint
- Multiple failed user creation attempts followed by successful admin login
SIEM Query:
source="grav_logs" AND (event="user_created" AND username IN (SELECT username FROM admin_users)) OR (event="user_login" AND user_agent_changed=true)