DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-44738: CVE-2026-44738: Grav CMS Twig Sandbox Information Disclosure via Config::toArray()

#security #cve #cybersecurity

CVE-2026-44738: Grav CMS Twig Sandbox Information Disclosure via Config::toArray()

Vulnerability ID: CVE-2026-44738
CVSS Score: 7.7
Published: 2026-05-13

An information disclosure vulnerability in the Grav CMS file-based Web platform allows authenticated users with the admin.pages role to bypass Twig sandbox restrictions. By invoking the config.toArray() method, attackers can expose complete system configurations, including highly sensitive SMTP passwords, API tokens, and cloud service credentials.

TL;DR

Authenticated Grav CMS users with page-editing privileges can inject a specific Twig template payload to bypass the security sandbox. This action dumps the entire site configuration, exposing critical secrets such as AWS keys and OAuth client secrets to the attacker.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-200
  • Attack Vector: Network (Authenticated)
  • CVSS Score: 7.7
  • EPSS Score: 0.00031
  • Impact: Information Disclosure (High)
  • Exploit Status: Proof of Concept Available

Affected Systems

  • Grav CMS Core
  • Grav CMS Admin Plugin
  • Twig Templating Engine Integration
  • Grav CMS: < 2.0.0-rc.2 (Fixed in: 2.0.0-rc.2)

Mitigation Strategies

  • Upgrade Grav CMS to version 2.0.0-rc.2 or later to apply the official sandbox policy fix.
  • Audit user roles and remove the admin.pages role from unnecessary or unverified accounts.
  • Rotate all API keys, SMTP credentials, AWS tokens, and system security salts stored within the Grav configuration.

Remediation Steps:

  1. Backup the current Grav CMS file system and user data.
  2. Execute the update procedure via the Grav CLI command bin/gpm selfupgrade or through the admin panel.
  3. Verify that the system is running at least version 2.0.0-rc.2.
  4. Identify all third-party credentials stored in the user/config/ directory.
  5. Generate new credentials for all affected third-party services and update the Grav configuration.

References

Read the full report for CVE-2026-44738 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)