CVE-2026-42609
Published: 11 May 2026
Summary
CVE-2026-42609 is a high-severity Improper Privilege Management (CWE-269) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, ranked at the 11.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Documented procedures facilitate correct implementation and ongoing management of authorization decisions.
Periodic reviews identify and correct flaws in authorization decisions or enforcement.
Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.
The control mandates authorization decisions for each access request, reducing the ability to exploit improper authorization weaknesses.
Ensures authorization decisions are always performed by a complete and analyzable reference monitor.
The control requires checking and applying authorization decisions per policy, preventing improper authorization.
By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.
Implements core proper privilege management by restricting to only required rights.
NVD Description
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user…
more
with a username that already exists, the system updates the existing account's metadata and permissions instead of rejecting the request. This leads to a Denial of Service (DoS) on administrative functions and Privilege De-escalation of the root account. This vulnerability is fixed in 2.0.0-beta.2.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Details
- CWE(s)