CVE-2026-44738
published 2026-05-11CVE-2026-44738: Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from…
PriorityP348high7.7CVSS 3.1
AVNACLPRLUINSCCHINAN
EPSS
0.28%
19.3th percentile
Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration — including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) — into the rendered HTML. No administrator privileges are required. This vulnerability is fixed in 2.0.0-rc.2.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav | < 2.0.0-rc.2 | 2.0.0-rc.2 |
| getgrav | grav | < 2.0.0 | 2.0.0 |
| getgrav | grav | — | — |
| getgrav | grav | >= 0 < 2.0.0-rc.2 | 2.0.0-rc.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()
ghsa·2026-05-13
CVE-2026-44738 [HIGH] CWE-200 Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()
Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()
## Summary
The Twig sandbox allow-list permits any user with the `admin.pages` role to call `config.toArray()` from within a page body, dumping the entire merged site configuration — including all plugin secrets (SMTP passwords, AWS keys, OAuth client secrets, API tokens) — into the rendered HTML. No administrator privileges are required.
## Details
The Twig sandbox allow-list in `system/config/security.yaml` explicitly permits `Config::toArray()` for the `Grav\Common\Config\Config` class:
```yaml
- class: 'Grav\Common\Config\Config'
methods: 'get, toarray, value, default, offsetget, offsetexists'
```
The `config` object — which holds the full merged configuration tree including every k
VulDB
getgrav up to 2.0.0-rc.2 config.toArray information disclosure (GHSA-j274-39qw-32c9)
vuldb·2026-05-11·CVSS 7.7
CVE-2026-44738 [HIGH] getgrav up to 2.0.0-rc.2 config.toArray information disclosure (GHSA-j274-39qw-32c9)
A vulnerability was found in getgrav grav up to 2.0.0-rc.2. It has been declared as problematic. This issue affects the function config.toArray. The manipulation results in information disclosure.
This vulnerability was named CVE-2026-44738. The attack may be performed from remote. There is no available exploit.
It is recommended to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-11
Published