cbcvebase.
CVE-2026-55885
published 2026-06-18

CVE-2026-55885: Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets ### Summary An authenticated administrator with backup permissions can…

medium
Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets

### Summary
An authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including `user/accounts/admin.yaml` with the admin's bcrypt password hash and email, plus `user/config/` with all site configuration. The download endpoint requires only the session-static `admin-nonce` in the URL, no additional form-level CSRF token, and reveals the server's full filesystem path in a Base64-encoded query parameter. Combined with the absence of login rate limiting on `http://{Grav_URL}/admin`, an attacker who obtains a single admin-nonce value (via Referrer leakage, browser history, or XSS) can exfiltrate password hashes for offline cracking and achieve account takeover.

### Details
The vulnerability chain spans three components in the deployed Grav source tree at `/var/www/html/grav/`:

**1. Backup archive scope — `Backups::backup()`**
`/var/www/html/grav/system/src/Grav/Common/Backup/Backups.php:201-272`

The `backup()` static method creates a ZIP of the directory specified by the backup profile's `root` property. The default profile (ID `0`, named `default_site_backup`) backs up the entire Grav root directory. On line 225, when the root is not a stream URI, it falls back to the full installation path:

```php
// Backups.php:225
$backup_root = rtrim(GRAV_ROOT . $backup->root, DS) ?: DS;
```

Since the default profile ships with no `root` override, `$backup->root` is empty, making `$backup_root` equal to `GRAV_ROOT` — i.e. `/var/www/html/grav/`. The archive therefore captures the entire installation including:

- `/var/www/html/grav/user/accounts/` — admin password hash, email, full name, granular permissions
- `/var/www/html/grav/user/config/` — system settings, potentially email SMTP credentials

The `exclude_files` and `exclude_paths` options on lines 232-235 are empty by default and offer no protection against including accou

Affected

1 ranges
VendorProductVersion rangeFixed in
getgravgrav>= 0 < 1.7.531.7.53
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.