Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-42613 -- CVSS 9.4 Vulnerability Briefing

CVE-2026-42613 | CVSS 9.4 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-42613 is a privilege escalation vulnerability in the Login plugin for Grav, a file-based PHP web content management platform, where the user registration endpoint fails to sanitize attacker-controlled input fields related to group membership and access permissions.

Technical Detail

The flaw exists in the Login::register() method, which processes POST data submitted during user registration without adequately filtering or rejecting the groups and access fields. An unauthenticated attacker can craft a registration request that includes elevated group memberships or explicit access rights, causing the platform to assign those privileges to the newly created account. Successful exploitation allows an attacker to self-assign administrative or otherwise restricted roles, effectively bypassing the intended access control model and gaining unauthorized elevated access to the Grav installation.

Exploitation Status

No known exploit code has been identified at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, meaning public proof-of-concept code or confirmed in-the-wild abuse has not been observed as of this writing. However, the vulnerability class is straightforward and the attack surface is the public-facing registration endpoint, which lowers the technical barrier for independent discovery.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence. Given the nature of the flaw and the prevalence of CMS-targeting opportunistic actors, organizations running public-facing Grav installations with open registration should treat this as a credible risk even in the absence of confirmed attribution.

What To Do

Upgrade the Grav Login plugin to version 2.0.0-beta.2 or later, which addresses this vulnerability. If an immediate upgrade is not feasible, disable public user self-registration on the Grav instance as a temporary workaround, since the attack vector requires access to the registration POST endpoint. Administrators should audit existing user accounts for unexpected group memberships or elevated access rights that may indicate prior exploitation. Monitor web server logs for registration requests containing non-standard groups or access POST parameters as a detection signal.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →