CVE-2026-42608

Vulnerability Report: Grav CMS Unauthenticated Path Traversal & Arbitrary File Write

[ZERO-DAY] Unauthenticated Path Traversal leading to Arbitrary Directory Creation and Configuration Injection

Summary

Grav CMS (v1.7.49.5 and latest development source) is vulnerable to a Zero-Day Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POST requests), an unauthenticated attacker can traverse the filesystem to create arbitrary directories and write an index.yaml file containing attacker-controlled data.

This vulnerability can lead to unauthorized modification of application behavior, potential data integrity issues, and service disruption in production environments.

Affected Component

• Versions: Confirmed in Grav v1.7.49.5 (latest stable) and the latest development source (March 2026).
• Class: Grav\Framework\Form\FormFlash
• Method: __construct() / getTmpDir()
• Parameter: session_id (Mapped to __form-flash-id in POST requests)

Vulnerability Details

The FormFlash class is used to persist form data across redirects. It constructs a temporary storage path using the provided session_id. The path construction logic in the latest source:

$folder = $config['folder'] ?? ($this->sessionId ? 'tmp://forms/' . $this->sessionId : '');
$this->folder = $folder && $locator->isStream($folder) ? $locator->findResource($folder, true, true) : $folder;

Lack of sanitization on the sessionId (the raw session identifier) allows the use of ../ sequences. When findResource resolves the stream, it allows escape into any writable directory within the webserver's scope (typically user/config/, cache/, logs/, and tmp/).

Affected Versions & Zero-Day Status

• Tested Version: v1.7.49.5 (Latest Stable Release as of Nov 2025).
• Development Branch Status: Vulnerable. The latest source code in the GitHub develop branch (March 2026) remains unpatched.
• Affected Range: All Grav CMS versions utilizing the FormFlash component (v1.7.x and potentially older v1.6.x versions).
• CVE Status: Zero-Day (Non-Registered). Extensive research confirmed no existing CVE addresses this specific core FormFlash session-based traversal.

Steps to Reproduce

1. Identify any page containing a Grav Form (e.g., /contact).
2. Intercept the POST request during form submission.
3. Modify the __form-flash-id parameter to include a traversal sequence targeting a writable directory (e.g., ../../user/config/proof_dir).
4. Submit the request.
5. Observe that a new directory (poc/) and file (index.yaml) have been created at the traversed path.

Request Example

POST /contact HTTP/1.1
Host: target.grav.cms
Content-Type: application/x-www-form-urlencoded
__form-name-=contact&__form-flash-id=../../user/config/proof_dir&form-data[name]=Attack&form-data[message]=Payload

Response / Result

• HTTP/1.1 302 Found (Standard redirect)
• Filesystem Modification:
• Directory Created: /var/www/html/user/config/proof_dir/poc/
• File Created: /var/www/html/user/config/proof_dir/poc/index.yaml

Proof of Concept Evidence (Before/After)

Before Exploitation

• Status: Directory does not exist.
• Evidence:

$ ls -la /var/www/html/user/config/proof_dir/
ls: cannot access '/var/www/html/user/config/proof_dir/': No such file or directory

After Exploitation

• Status: Arbitrary directory and index.yaml created.
• Evidence:

$ ls -la /var/www/html/user/config/proof_dir/poc/index.yaml
-rw-rw-r-- 1 www-data www-data 158 Mar 23 22:15 /var/www/html/user/config/proof_dir/poc/index.yaml
$ cat /var/www/html/user/config/proof_dir/poc/index.yaml
form: ''
id: ''
unique_id: poc
...
data:
  poc_status: confirmed

Impact

• Clarified Cross-User Attack: By controlling the session identifier, an attacker can overwrite or interfere with other users temporary form data, breaking session isolation.
• Configuration Injection: Writing index.yaml into plugin/theme configuration subdirectories can alter application behavior or inject malicious settings.
• Data Integrity: Unauthorized modification of configuration subfolders can lead to widespread site corruption or logical bypasses.
• Denial of Service (DoS): Recursive directory creation enables attackers to exhaust disk space or inodes (inode exhaustion).

Attack Requirements

• Authentication: None (Unauthenticated)
• Configuration: Standard Grav installation with at least one form-enabled page (e.g., Contact, Login, Registration)

Exploitability Assessment

• Complexity: Low. Requires only basic HTTP POST parameters.
• Reliability: 100% (Deterministically reproducible in vulnerable versions).
• Severity: Critical / High. The vulnerability requires no authentication and allows filesystem manipulation and session data corruption.

Remediation

1. Sanitize Session IDs: Apply basename() or a strict alphanumeric regex to the session_id in FormFlash before path construction.
2. Filesystem Hardening: Ensure user/config/ and other sensitive directories have restrictive permissions preventing the webserver from creating new subdirectories.
3. Update Grav: Monitor for patches addressing FormFlash sanitization.

---

Maintainer note — fix applied (2026-04-24)

Fixed in Grav core on the 2.0 branch: commit d904efc33 — will ship in 2.0.0-beta.2.

What changed: FormFlash::__construct() now sanitizes session_id, unique_id, and id through a strict [A-Za-z0-9,_-]{1,64} allowlist before any path is constructed from them. Invalid values collapse to '', which causes save()/delete()/getTmpDir() to no-op — so a __form-flash-id=../../user/config/proof_dir POST simply does nothing on disk.

Files:

• system/src/Grav/Framework/Form/FormFlash.php
• tests/unit/Grav/Common/Security/FormFlashSecurityTest.php — 32 test cases covering the PoC + variants.