Summary
Vulnerability Report: Grav CMS Unauthenticated Path Traversal & Arbitrary File Write
[ZERO-DAY] Unauthenticated Path Traversal leading to Arbitrary Directory Creation and Configuration Injection
Grav CMS (v1.7.49.5 and latest development source) is vulnerable to a Zero-Day Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an index.yaml file containing attacker-controlled data.
This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments.
Affected Component
- Versions: Confirmed in Grav v1.7.49.5 (latest stable) and the latest development source (March 2026).
- Class:
Grav\Framework\Form\FormFlash - Method:
__construct()/getTmpDir() - Parameter:
session_id(Mapped to__form-flash-idin POST requests)
Vulnerability Details
The FormFlash class is used to persist form data across redirects. It constructs a temporary storage path using the provided session_id. The path construction logic in the latest source:
$folder = $config['folder'] ?? ($this->sessionId ? 'tmp://forms/' . $this->sessionId : '');
$this->folder = $folder && $locator->isStream($folder) ? $locator->findResource($folder, true, true) : $folder;
Lack of sanitization on the sessionId (the raw session identifier) allows the use of ../ sequences. When findResource resolves the stream, it allows escape into any writable directory within the webserver's scope (typically user/config/, cache/, logs/, and tmp/).
Affected Versions & Zero-Day Status
- Tested Version: v1.7.49.5 (Latest Stable Release as of Nov 2025).
- Development Branch Status: Vulnerable. The latest source code in the GitHub develop branch (March 2026) remains unpatched.
- Affected Range: All Grav CMS versions utilizing the FormFlash component (v1.7.x and potentially older v1.6.x versions).
- CVE Status: Zero-Day (Non-Registered). Extensive research confirmed no existing CVE addresses this specific core FormFlash session-based traversal.
Steps to Reproduce
- Identify any page containing a Grav Form (e.g.,
/contact). - Intercept the POST request during form submission.
- Modify the
__form-flash-idparameter to include a traversal sequence targeting a writable directory (e.g.,../../user/config/proof_dir). - Submit the request.
- Observe that a new directory (
poc/) and file (index.yaml) have been created at the traversed path.
Request Example
POST /contact HTTP/1.1
Host: target.grav.cms
Content-Type: application/x-www-form-urlencoded
__form-name-=contact&__form-flash-id=../../user/config/proof_dir&form-data[name]=Attack&form-data[message]=Payload
Response / Result
- HTTP/1.1 302 Found (Standard redirect)
- Filesystem Modification:
- Directory Created:
/var/www/html/user/config/proof_dir/poc/ - File Created:
/var/www/html/user/config/proof_dir/poc/index.yaml
- Directory Created:
Proof of Concept Evidence (Before/After)
Before Exploitation
- Status: Directory does not exist.
- Evidence:
$ ls -la /var/www/html/user/config/proof_dir/
ls: cannot access '/var/www/html/user/config/proof_dir/': No such file or directory
After Exploitation
- Status: Arbitrary directory and
index.yamlcreated. - Evidence:
$ ls -la /var/www/html/user/config/proof_dir/poc/index.yaml
-rw-rw-r-- 1 www-data www-data 158 Mar 23 22:15 /var/www/html/user/config/proof_dir/poc/index.yaml
$ cat /var/www/html/user/config/proof_dir/poc/index.yaml
form: ''
id: ''
unique_id: poc
...
data:
poc_status: confirmed
Attack Requirements
- Authentication: None (Unauthenticated)
- Configuration: Standard Grav installation with at least one form-enabled page (e.g., Contact, Login, Registration)
Exploitability Assessment
- Complexity: Low. Requires only basic HTTP POST parameters.
- Reliability: 100% (Deterministically reproducible in vulnerable versions).
- Severity: Critical / High. The vulnerability requires no authentication and allows filesystem manipulation and session data corruption.
Maintainer note, fix applied (2026-04-24)
Fixed in Grav core on the 2.0 branch: commit d904efc33, will ship in 2.0.0-beta.2.
What changed: FormFlash::__construct() now sanitizes session_id, unique_id, and id through a strict [A-Za-z0-9,_-]{1,64} allowlist before any path is constructed from them. Invalid values collapse to '', which causes save()/delete()/getTmpDir() to no-op, so a __form-flash-id=../../user/config/proof_dir POST simply does nothing on disk.
Files:
system/src/Grav/Framework/Form/FormFlash.phptests/unit/Grav/Common/Security/FormFlashSecurityTest.php, 32 test cases covering the PoC + variants.
Impact
- Clarified Cross-User Attack: By controlling the session identifier, an attacker can overwrite or interfere with other users temporary form data, breaking session isolation.
- Configuration Injection: Writing
index.yamlinto plugin/theme configuration subdirectories can alter application behavior or inject malicious settings. - Data Integrity: Unauthorized modification of configuration subfolders can lead to widespread site corruption or logical bypasses.
- Denial of Service (DoS): Recursive directory creation enables attackers to exhaust disk space or inodes (inode exhaustion).
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
- Sanitize Session IDs: Apply
basename()or a strict alphanumeric regex to thesession_idin FormFlash before path construction. - Filesystem Hardening: Ensure
user/config/and other sensitive directories have restrictive permissions preventing the webserver from creating new subdirectories. - Update Grav: Monitor for patches addressing FormFlash sanitization.
Frequently Asked Questions
- What is CVE-2026-42608? CVE-2026-42608 is a high-severity path traversal vulnerability in getgrav/grav (composer), affecting versions < 2.0.0-beta.2. It is fixed in 2.0.0-beta.2. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
- Which versions of getgrav/grav are affected by CVE-2026-42608? getgrav/grav (composer) versions < 2.0.0-beta.2 is affected.
- Is there a fix for CVE-2026-42608? Yes. CVE-2026-42608 is fixed in 2.0.0-beta.2. Upgrade to this version or later.
- Is CVE-2026-42608 exploitable, and should I be worried? Whether CVE-2026-42608 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-42608 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-42608? Upgrade
getgrav/gravto 2.0.0-beta.2 or later.