CVE-2026-55885
published 2026-06-18CVE-2026-55885: Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets ### Summary An authenticated administrator with backup permissions can…
medium
Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets
### Summary
An authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including `user/accounts/admin.yaml` with the admin's bcrypt password hash and email, plus `user/config/` with all site configuration. The download endpoint requires only the session-static `admin-nonce` in the URL, no additional form-level CSRF token, and reveals the server's full filesystem path in a Base64-encoded query parameter. Combined with the absence of login rate limiting on `http://{Grav_URL}/admin`, an attacker who obtains a single admin-nonce value (via Referrer leakage, browser history, or XSS) can exfiltrate password hashes for offline cracking and achieve account takeover.
### Details
The vulnerability chain spans three components in the deployed Grav source tree at `/var/www/html/grav/`:
**1. Backup archive scope — `Backups::backup()`**
`/var/www/html/grav/system/src/Grav/Common/Backup/Backups.php:201-272`
The `backup()` static method creates a ZIP of the directory specified by the backup profile's `root` property. The default profile (ID `0`, named `default_site_backup`) backs up the entire Grav root directory. On line 225, when the root is not a stream URI, it falls back to the full installation path:
```php
// Backups.php:225
$backup_root = rtrim(GRAV_ROOT . $backup->root, DS) ?: DS;
```
Since the default profile ships with no `root` override, `$backup->root` is empty, making `$backup_root` equal to `GRAV_ROOT` — i.e. `/var/www/html/grav/`. The archive therefore captures the entire installation including:
- `/var/www/html/grav/user/accounts/` — admin password hash, email, full name, granular permissions
- `/var/www/html/grav/user/config/` — system settings, potentially email SMTP credentials
The `exclude_files` and `exclude_paths` options on lines 232-235 are empty by default and offer no protection against including accouAffected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav | >= 0 < 1.7.53 | 1.7.53 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-18
Published