CVE-2026-55885 is a medium-severity security vulnerability in getgrav/grav (composer), affecting versions < 1.7.53. It is fixed in 1.7.53.
Summary An authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including user/accounts/admin.yaml with the admin's bcrypt password hash and email, plus user/config/ with all site configuration. The download endpoint requires only the session-static admin-nonce in the URL, no additional form-level CSRF token, and reveals the server's full filesystem path in a Base64-encoded query parameter. Combined with the absence of login rate limiting on http://{GravURL}/admin, an attacker who obtains a single admin-nonce value (via Referrer leakage, browser history, or XSS) can exfiltrate password hashes for offline cracking and achieve account takeover. Details The vulnerability chain spans three components in the deployed Grav source tree at /var/www/html/grav/: Backup archive scope, Backups::backup() /var/www/html/grav/system/src/Grav/Common/Backup/Backups.php:201-272 The backup() static method creates a ZIP of the directory specified by the backup profile's root property. The default profile (ID 0, named defaultsitebackup) backs up the entire Grav root directory. On line 225, when the root is not a stream URI, it falls back to the full installation path: Since the default profile ships with no root override, $backup->root is empty, making $backuproot equal to GRAVROOT, i.e. /var/www/html/grav/. The archive therefore captures the entire installation including: /var/www/html/grav/user/accounts/, admin password hash, email, full name, granular permissions /var/www/html/grav/user/config/, system settings, potentially email SMTP credentials The excludefiles and exclude_paths options on lines 232-235 are empty by default and offer no protection against including account files. Backup download handler, AdminController::taskBackup() /var/www/html/grav/user/plugins/admin/classes/plugin/AdminController.php:517-573 After creating the backup ZIP, the controller Base64-encodes the full filesystem path and embeds it directly in a download URL displayed to the admin: The download handler (lines 532-541) decodes the path, locates the file via the backup:// stream, and serves it with Utils::download($file, true). It performs only two checks: the filename must end in .zip and the file must actually exist. It does not verify the file belongs to the requesting user, does not enforce a form-level nonce, and does not tie the download to a specific session. Nonce validation, permissive The backup route is protected only by the admin-nonce parameter appended to the URL path. This nonce is session-static and shared across every admin page. No form-nonce is required, unlike page saves or configuration changes which demand both admin-nonce and form-nonce. This makes the backup download exploitable via a single crafted GET request from any attacker who knows the nonce value. PoC Prerequisites: Admin session with valid admin-nonce. Step 1, Authenticate and extract the session-static nonces: Step 2, Trigger a backup (single GET, no form-nonce needed): Response: Step 3, Extract the Base64 download token and fetch the ZIP: Step 4, Extract the password hash from the ZIP: Output: Step 5, Crack the bcrypt hash offline: Step 6, Log in with the cracked password (no rate limit): Impact Type: Authenticated sensitive data exposure enabling offline credential theft Attack surface: Any actor who can obtain admin-nonce (session fixation, reflected XSS, Referrer header leakage, browser history inspection, or proxy log access) Exposed data: Admin username, email, full name, granular permission structure, bcrypt password hash ($2y$12$...), and full site configuration from user/config/ Downstream risk: Offline hashcat cracking bypasses all server-side brute-force protections. With no login rate limiting (Finding 1), a cracked hash grants immediate unrestricted admin access including file modification and arbitrary code execution potential through Twig/themes Server path leakage: The Base64-encoded download token reveals the absolute filesystem path /var/www/html/grav/backup/, information critical for LFI, file-write, and path traversal attacks
CVE-2026-55885 has a CVSS score of 6.8 (Medium). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.7.53). Upgrading removes the vulnerable code path.
composer
getgrav/grav (< 1.7.53)getgrav/grav → 1.7.53 (composer)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-55885 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-55885 is reachable in your applications. Get a demo
Upgrade getgrav/grav to 1.7.53 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-55885 is a medium-severity security vulnerability in getgrav/grav (composer), affecting versions < 1.7.53. It is fixed in 1.7.53.
CVE-2026-55885 has a CVSS score of 6.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
getgrav/grav (composer) versions < 1.7.53 is affected.
Yes. CVE-2026-55885 is fixed in 1.7.53. Upgrade to this version or later.
Whether CVE-2026-55885 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade getgrav/grav to 1.7.53 or later.