Impact statement: A new Grav CMS security cluster includes critical and high-severity issues affecting Grav core, the Login plugin, the API plugin, and the Form plugin. The highest-risk items include CVE-2026-42613, where some self-registration configurations can let an unauthenticated visitor gain administrative privileges, and CVE-2026-42608, where unauthenticated requests can alter files used by the site. For hosted websites, the practical risk is site takeover, content tampering, data exposure, account abuse, or cleanup work across customer sites.
This is a protect-only guide. We are not publishing attack steps, scanner-ready checks, request details, or lab notes. The useful answer is to inventory Grav installs, back them up, apply the fixed Grav and plugin versions, temporarily restrict risky public features, review users and changed files, and tell customers what changed.
Who Is Affected
- Grav CMS sites running versions listed by the advisories as older than the fixed release path.
- Sites using public self-registration, public forms, customer uploads, or multi-user editing.
- Sites testing the Grav 2.0 beta or release-candidate path with the API plugin enabled.
- cPanel, Plesk, DirectAdmin, and VPS hosting customers who installed Grav manually or through an application installer and have not checked it recently.
- Agencies hosting documentation sites, microsites, knowledge bases, campaign pages, or flat-file CMS sites for customers.
The advisories list several fixed version targets. Grav core issues such as CVE-2026-42613 and CVE-2026-42608 point to 2.0.0-beta.2 or newer. The Grav API plugin advisories include fixes in 1.0.0-beta.15 and 2.0.0-beta.4 or newer. The Grav Form plugin issue points to 9.1.0 or newer. Use the official advisory for the exact component you run, especially if your production site remains on the 1.7 stable branch.
Patch First
Before changing anything, take a file backup. Grav is file-based, so the site directory matters. Keep the backup off the public web path and make sure you can restore it before you start updates.
cd /path/to/grav-site
php bin/gpm version grav
php bin/gpm index | grep '| installed' || true
php bin/gpm selfupgrade -f
php bin/gpm update
php bin/grav cache
php bin/gpm version grav
If your host uses a different PHP CLI path, run the same Grav commands with that binary. If you manage Grav through the Admin plugin, check the Grav version in the admin footer, update Grav, update plugins and themes, clear cache, and then confirm the fixed versions again.
Temporary Protection If You Cannot Patch Today
- Disable public self-registration unless the site absolutely needs it.
- Restrict public forms and upload fields until the Form plugin is updated.
- Disable or restrict the API plugin if it is not required.
- Require VPN, IP allowlisting, or control-panel protection for admin areas where possible.
- Place the site behind a WAF rule set that can challenge suspicious form, login, and CMS admin behavior while updates are pending.
- Remove abandoned Grav test folders, old staging copies, and forgotten subdomain installs.
Temporary shielding buys time, but it is not a replacement for updating Grav and the affected plugins. Treat WAF coverage as a short bridge to a fixed version.
Safe Review Checklist
After updates, review the site like a possible account-abuse or content-tampering incident. You are looking for changed users, changed pages, new files, unexpected form output, and unusual admin activity.
cd /path/to/grav-site
php bin/gpm version grav
find user/accounts -type f -maxdepth 1 -mtime -14 -print
find user/pages -type f -mtime -14 -print | head -100
find user/data -type f -mtime -14 -print | head -100
find logs -type f -mtime -14 -print
For cPanel-hosted Grav sites, also run the account malware scanner, review recent access logs, inspect public upload locations, check file modification dates around the disclosure window, and confirm that old backups do not contain a vulnerable copy that will be restored later by mistake.
Hosting Provider Checklist
- Search customer accounts for Grav installs, especially manual installs under subdomains and addon domains.
- Prioritize sites with public registration, forms, uploads, API access, or multiple editors.
- Notify affected customers that Grav and related plugins need security updates.
- Back up each site before applying updates or making configuration changes.
- Apply temporary WAF shielding for public form, login, upload, and admin surfaces while customer approvals are pending.
- After patching, run malware and file-integrity checks and document what changed.
What To Tell Customers
Tell customers that a Grav CMS security advisory batch affects sites with certain Grav core and plugin versions. The urgent action is to update Grav and related plugins, temporarily turn off public registration or upload-heavy forms if patching is delayed, and review recent users, pages, uploads, and logs for unusual changes. Customers do not need attack details to make the right decision; they need a backup, a fixed version, and a short review.
Sources
- GitLab Advisory Database: CVE-2026-42613
- GitLab Advisory Database: CVE-2026-42608
- GitLab Advisory Database: CVE-2026-42607
- GitLab Advisory Database: CVE-2026-42843
- GitLab Advisory Database: CVE-2026-42844
- GitLab Advisory Database: CVE-2026-42845
- Grav documentation: updating Grav and plugins
- Grav 2.0 release candidate notes
