Zero Installation, Total Compromise: Critical Grav CMS Exploit Chain Grants Unauthenticated RCE

Grav, the widely used flat-file content management system, disclosures two highly critical vulnerabilities. The platform, celebrated for requiring “Zero installation” and offering a “powerful Package Management System to allow for simple installation and upgrading of plugins and themes,” is now urgently prompting its users to patch before threat actors can exploit these fatal architectural blind spots.

Security teams must act immediately to secure their deployments against CVE-2026-42613 (CVSS 9.4) and CVE-2026-42607 (CVSS 9.1), a devastating combination of flaws that allows unauthenticated attackers to seize complete control of a server and execute arbitrary code.

The first vulnerability provides attackers with the initial foothold required to compromise the system. Tracked as CVE-2026-42613, this flaw resides in the CMS’s Login plugin—specifically within the Login::register() method.

The vulnerability is rooted in a critical failure to sanitize user inputs during the account creation process. The system blindly accepts attacker-controlled groups and access fields from HTTP POST data. According to the vulnerability documentation, “When registration is enabled and groups or access are included in the configured allowed fields list, an unauthenticated user can self-register with admin.super privileges by injecting these fields into the registration request”.

What makes this flaw particularly dangerous is the underlying design philosophy. As the report explicitly warns, “This is a missing server-side validation issue the only defense is a config-level fields allowlist, which is an admin-facing setting, not a hardcoded security boundary”.

Once an attacker successfully abuses this missing server-side validation, they are immediately granted Super Admin status, effectively bypassing all authentication barriers and gaining full access to the Grav administrative panel.

Armed with their newly minted Super Admin privileges, the attacker can effortlessly chain the first flaw with CVE-2026-42607, a Remote Code Execution (RCE) vulnerability nestled within Grav’s “Direct Install” feature.

The “Direct Install” tool was designed to simplify the deployment of themes and plugins. However, a fatal oversight in how the Grav Package Manager (GPM) processes ZIP archives has weaponized the feature. “An authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file through the ‘Direct Install’ tool”.

While Grav attempts to enforce basic security by blocking the upload of direct.php files, it fundamentally fails to inspect the actual contents hidden inside the uploaded ZIP archives. The Installer::install() function carelessly extracts the compressed files directly into the /user/plugins/ or /user/themes/ directories without performing any validation on file extensions or types.

The analysis details, “Once a malicious plugin is extracted, it can execute arbitrary PHP code or drop a persistent web shell on the server”.

This lethal exploit chain requires no initial authentication, relies on standard CMS features, and results in a total system compromise.

Organizations deploying Grav CMS must urgently upgrade their environments. Both CVE-2026-42613 and CVE-2026-42607 affect versions prior to 2.0.0-beta.2. Administrators are strongly advised to update to Grav version 2.0.0-beta.2 or later immediately to seal these critical vulnerabilities and protect their infrastructure from active exploitation.