PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-61450 getgrav CVE debrief

CVE-2026-61450 is a high-severity vulnerability in Grav, a popular open-source content management system. The vulnerability allows a page author to bypass the Twig sandbox and exfiltrate configuration secrets, including sensitive information such as SMTP credentials, API keys, and plugin DB credentials. This issue arises from an incomplete fix for a previous vulnerability (GHSA-j274-39qw-32c9). Although the sandbox replaces the 'config' variable with a redacted facade and strips Config::get/toArray from the method allowlist, the raw container remains accessible via the allow-listed grav.offsetGet('config'). This allows an attacker to serialize the real Config object at the PHP level without invoking the sandbox method gate, exposing the full config tree including sensitive information. Administrators and users of Grav versions prior to 2.0.2 should be aware of this vulnerability and take immediate action to patch their installations.

Vendor
getgrav
Product
grav
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Administrators and users of Grav versions prior to 2.0.2 should be aware of this vulnerability and take immediate action to patch their installations. Additionally, security teams and researchers should be aware of the potential impact of this vulnerability and take steps to identify and remediate affected systems.

Technical summary

The vulnerability exists due to an incomplete fix for a previous issue (GHSA-j274-39qw-32c9). Although the sandbox replaces the 'config' variable with a redacted facade and strips Config::get/toArray from the method allowlist, the raw container remains accessible via the allow-listed grav.offsetGet('config'). This allows an attacker to serialize the real Config object at the PHP level without invoking the sandbox method gate, exposing the full config tree including sensitive information.

Defensive priority

High

Recommended defensive actions

  • Apply the official patch (Grav 2.0.2 or later) to fix the vulnerability.
  • Review and update configuration secrets, such as SMTP credentials, API keys, and plugin DB credentials, to prevent unauthorized access.
  • Implement additional security measures, such as monitoring and logging, to detect potential exploitation attempts.
  • Conduct a thorough inventory of affected systems and prioritize patching based on risk and exposure.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.

Evidence notes

The CVE record was published on 2026-07-10T15:16:50.740Z and has not been modified since then. The NVD entry is currently Deferred. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T15:16:50.740Z and has not been modified since then. The NVD entry is currently Deferred.