Improper Privilege Management

CVE-2026-42609

Low

0/10

Summary

A business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. The affected versions are prior to 2.0.0-beta.2.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-269 - Improper Privilege Management

An effective privilege management infrastructure provides valid users with required access and privileges across heterogeneous technology environments. An application with a faulty privilege management infrastructure allows higher than authorized privileges or enables privilege escalation. This can lead to security incidents such as system infiltration, data breach, and complete system takeover.

References

Advisory

Advisory Timeline

Published May 11, 2026

Improper Privilege Management

CVE-2026-42609

Summary

CWE-269 - Improper Privilege Management

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS