CVE-2026-42609 - Grav - Broken Access Control

Overview

Grav < 2.0.0-beta.2 contains a business logic vulnerability in the Admin Panel caused by improper handling of user creation with existing usernames, letting low-privileged users overwrite accounts, causing denial of service and privilege de-escalation, exploit requires user creation permissions.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 3.9%(Probability of exploitation in next 30 days)

Impact

Low-privileged users can overwrite admin accounts, causing denial of service and privilege de-escalation of the root account.

Mitigation

Update to version 2.0.0-beta.2 or later.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

May 11, 2026

🟠 CVE-2026-42609 - High (8.1) Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-42609/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

May 11, 2026

🟠 CVE-2026-42609 - High (8.1) Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-42609/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

CVE-2026-42609 - Vulnerability Analysis

Overview

Severity & Score

Impact

Mitigation

References

Social Media Activity(2 posts)

Related Resources

Details

CWE

CVSS Metrics

EPSS Score