PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-62236 getgrav CVE debrief

A cross-site request forgery (CSRF) vulnerability exists in grav-plugin-login before version 3.8.11. The vulnerability is located in the login.regenerate2FASecret frontend task, which allows an attacker to regenerate and persist a new TOTP secret for the authenticated session user without proper anti-CSRF measures. This can be exploited by luring a logged-in victim to an off-site page, causing the victim's TOTP secret to be rotated, effectively forcing 2FA re-enrollment. Sites configured with session.samesite: Strict are not affected.

Vendor
getgrav
Product
grav
CVSS
LOW 2.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Administrators and users of Grav CMS with the grav-plugin-login extension installed should be aware of this vulnerability. Sites with 2FA enabled and users who have enrolled in 2FA are particularly at risk. Developers and security teams should prioritize updating to version 3.8.11 or later to mitigate this vulnerability.

Technical summary

The grav-plugin-login extension for Grav CMS contains a CSRF vulnerability in the login.regenerate2FASecret task. This task regenerates and persists a new TOTP secret for the authenticated user without validating the request origin. An attacker can exploit this by inducing a logged-in user to visit an off-site page, which performs a GET request to the vulnerable endpoint, thereby rotating the user's TOTP secret. This forces the user to re-enroll in 2FA, as their existing authenticator app will no longer match the server's stored secret. The vulnerability is mitigated in version 3.8.11.

Defensive priority

Medium

Recommended defensive actions

  • Update grav-plugin-login to version 3.8.11 or later
  • Review and adjust session configuration, particularly session.samesite settings
  • Monitor for suspicious 2FA re-enrollment activities
  • Consider implementing additional CSRF protections for sensitive operations
  • Perform a thorough review of the system for any potential exposure
  • Verify that all users have been notified of the vulnerability and are aware of the necessary actions
  • Check for any unusual activity in the system logs that may indicate exploitation attempts

Evidence notes

The CVE record was published on 2026-07-17T02:18:11.327Z and has not been modified since then. The NVD entry is currently in the 'Received' state. Limited details are available about the CVE's impact and affected configurations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T02:18:11.327Z and has not been modified since then. The NVD entry is currently Received.