CVE-2025-66306
📋 TL;DR
Grav CMS versions before 1.8.0-beta.27 contain an IDOR vulnerability in the admin panel that allows low-privilege users to access sensitive information from other user accounts, including admin email addresses. This affects all Grav CMS installations with the admin panel enabled and multiple user accounts. While direct account takeover isn't possible, the exposed information increases risks of phishing, credential stuffing, and social engineering attacks.
💻 Affected Systems
- Grav CMS
📦 What is this software?
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
Grav by Getgrav
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain admin email addresses and metadata, enabling targeted phishing campaigns that could lead to credential theft and eventual admin account compromise through social engineering.
Likely Case
Low-privilege users access other users' email addresses and metadata, potentially enabling targeted phishing against administrators or other users.
If Mitigated
With proper access controls and monitoring, impact is limited to information disclosure without direct system compromise.
🎯 Exploit Status
Exploitation requires authenticated low-privilege user access. The vulnerability is in the admin panel API endpoints that handle user data requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.0-beta.27
Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-4cwq-j7jv-qmwg
Restart Required: No
Instructions:
1. Backup your Grav installation. 2. Update Grav to version 1.8.0-beta.27 or later via GPM: 'bin/gpm selfupgrade'. 3. Clear cache: 'bin/grav clear-cache'. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict Admin Panel Access
allLimit admin panel access to trusted IP addresses only
Configure web server (Apache/Nginx) to restrict access to /admin path
Disable Unnecessary User Accounts
allRemove or disable low-privilege user accounts that don't require admin panel access
Edit user accounts in /user/accounts/ directory or via admin panel
🧯 If You Can't Patch
- Implement strict access controls to limit which users can access the admin panel
- Monitor admin panel access logs for unusual user ID parameter patterns
🔍 How to Verify
Check if Vulnerable:
Check Grav version: 'bin/grav version'. If version is earlier than 1.8.0-beta.27, system is vulnerable.Check Version:
bin/grav versionVerify Fix Applied:
After updating, verify version is 1.8.0-beta.27 or later: 'bin/grav version'📡 Detection & Monitoring
Log Indicators:
- Unusual user ID parameter patterns in admin panel API requests
- Multiple failed authorization attempts followed by successful user data access
Network Indicators:
- Repeated requests to admin panel user endpoints with different ID parameters
SIEM Query:
source="grav-admin" AND (uri_path="/admin/api/users/*" OR uri_path CONTAINS "/admin/") AND (http_method="GET" OR http_method="POST") | stats count by src_ip, user_id