Overview
CVE-2025-66296 is a high-severity privilege escalation vulnerability affecting Grav, a file-based Web platform. This flaw allows a user with limited user-manager permissions to gain full administrator access by creating a new account with the same username as an existing administrator. This bypasses expected username uniqueness validation. The vulnerability has been addressed in version 1.8.0-beta.27.
Technical Details
The vulnerability stems from the absence of proper username uniqueness validation within Grav’s Admin plugin when creating new users. An attacker with the permission to create users (“create user” permission, typically assigned to User Manager roles) can exploit this by:
- Creating a new user account.
- Using the exact same username as an existing administrator account during the creation process. Due to the missing validation, this creation succeeds.
- Setting a new password and/or email address for the newly created account.
- Logging in with the newly created account using the chosen password.
Upon successful login, the attacker will inherit the full administrative privileges associated with the existing administrator account whose username was duplicated.
CVSS Analysis
This vulnerability has been assigned a CVSS score of 8.8, indicating a HIGH severity. The CVSS vector string is not available in the provided information, but a high score reflects the ease of exploitation and the significant impact on system integrity and confidentiality.
Possible Impact
Successful exploitation of CVE-2025-66296 can have severe consequences:
- Complete System Compromise: An attacker gaining administrator access can modify any content, install malicious plugins or themes, and potentially gain control of the underlying server.
- Data Breach: Sensitive data stored within the Grav CMS installation, including user information and content, could be exposed.
- Denial of Service: The attacker could disrupt the normal operation of the website by deleting content or modifying system configurations.
- Reputational Damage: A successful attack can severely damage the reputation of the website and the organization behind it.
Mitigation or Patch Steps
The recommended mitigation is to upgrade Grav CMS to version 1.8.0-beta.27 or later. This version includes a fix that enforces username uniqueness during user creation, preventing the privilege escalation vulnerability.
Steps to upgrade:
- Log in to the Grav Admin Panel.
- Navigate to the “Plugins” section.
- Check for available updates and upgrade the “Admin” plugin to version 1.8.0-beta.27 or later.
- If using the Grav CLI, use the command `bin/gpm update` to update Grav and its plugins.
If immediate upgrade is not possible, consider temporarily disabling the “Admin” plugin. However, this will restrict administrative access to the website.
