8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66296

GHSA ID

GHSA-cjcp-qxvg-4rjm

EPSS Score

CWE

CWE-266

Published

12/2/2025

Updated

12/2/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66296

CVE-2025-66296: Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover

Summary

A privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the same username as an existing administrator account, set a new password/email, and then log in as that administrator. This effectively allows privilege escalation from limited user-manager permissions to full administrator access.

Steps to Reproduce

Make sure you have two accounts: an admin and a user with create user privilege
In the user account, navigate to /grav-admin/admin/accounts/users and click "Add"
Enter the name of the admin, complete registration and observe that the existing admin’s email is changed to the value you provided.
Log out from user account log in as admin with new credentials

Impact

Full admin takeover by any user with create user permission.
Ability to change admin credentials, install/remove plugins, read or modify site data, and execute any action available to an admin.
Severity: High/Critical.

PoC

https://github.com/user-attachments/assets/3ab0a7d6-5055-41be-9e0e-2bd6ca359b37

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66296

CVE-2025-66296:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-66296

GHSA ID

GHSA-cjcp-qxvg-4rjm

EPSS Score

CWE

CWE-266

Published

12/2/2025

Updated

12/2/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
getgrav/grav	composer	< 1.8.0-beta.27	1.8.0-beta.27

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows a user with user creation privileges to take over an administrator's account by creating a new user with the same username. This is a classic privilege escalation vulnerability caused by a missing uniqueness check.

The analysis of the patch commit 3462d94d575064601689b236508c316242e15741 clearly shows the remediation strategy. The developers targeted the functions responsible for persisting user data and added checks to ensure a username does not already exist before creating a new user account.

Two primary functions were identified as vulnerable:

Grav\Common\Flex\Types\Users\UserObject::save(): This is part of Grav's modern 'Flex Objects' framework. The patch adds a call to $storage->hasKey() to verify username uniqueness.
Grav\Common\User\DataUser\User::save(): This is part of Grav's legacy user system. The patch adds a call to $locator->findResource() to check if a user file with that name already exists.

When the vulnerability is exploited, the user creation process in the Grav Admin panel will ultimately invoke one of these save() methods. In a vulnerable version, the method would proceed to overwrite the existing admin's user file. In a patched version, the added check will trigger an exception, preventing the account takeover. Therefore, these two functions are the precise runtime indicators for this vulnerability.

Vulnerable functions

Grav\Common\Flex\Types\Users\UserObject::save

system/src/Grav/Common/Flex/Types/Users/UserObject.php

This function is responsible for saving user objects within Grav's 'Flex' user management system. The vulnerability existed because this function did not check if a user with the same username (storage key) already existed before creating a new one. An attacker could call this function by creating a new user with an existing admin's username, which would overwrite the admin's account data. The patch adds a check `if ($storage->hasKey($newKey))` to prevent this overwrite.

Grav\Common\User\DataUser\User::save

system/src/Grav/Common/User/DataUser/User.php

This function handles saving user data for Grav's legacy file-based user management. The vulnerability was present because this function failed to verify if a user account file for the given username already existed. This allowed an attacker to create a user with the same name as an administrator, causing the original administrator's account file to be overwritten with new credentials. The patch introduces a check using `$locator->findResource()` to ensure the username is unique before saving.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66296: Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover

Summary

Steps to Reproduce

Impact

PoC

CVE-2025-66296:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

8.8

8.8

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-66296: Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover

Summary

Steps to Reproduce

Impact

PoC

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI