Grav RCE via Malicious Plugin Upload (CVE-2026-42607)

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-94
Grav RCE via Malicious Plugin Upload (CVE-2026-42607)

The National Vulnerability Database has detailed CVE-2026-42607, a critical Remote Code Execution (RCE) vulnerability in Grav, a file-based web platform. Prior to version 2.0.0-beta.2, an authenticated administrative user could achieve RCE by uploading a specially crafted ZIP file through the “Direct Install” tool. This flaw, rated 9.1 CVSS (Critical), stems from Grav’s failure to adequately inspect the contents of uploaded ZIP archives, despite blocking direct .php file uploads.

Attackers can exploit this by packaging a malicious plugin within a ZIP file. Once extracted, this plugin can execute arbitrary PHP code or drop a persistent web shell on the server. The vulnerability hinges on the assumption that an authenticated administrator won’t upload malicious content, which is a dangerous blind spot in security architecture. Insider threats, compromised admin accounts, or even social engineering could easily lead to exploitation.

For defenders, this is a clear reminder that file upload mechanisms, especially those handling archives, require robust content inspection beyond just file extensions. Trusting user input, even from authenticated users, for such critical operations is a fundamental security misstep. The fix is available in Grav version 2.0.0-beta.2, which addresses this oversight.

What This Means For You

  • If your organization uses Grav, you need to immediately patch to version 2.0.0-beta.2 or later. Do not delay. This RCE allows a compromised admin account to completely own your web server. Audit administrative access for Grav instances and ensure strong authentication and least privilege are enforced. Attackers will leverage any path to RCE, and a compromised admin is a golden ticket.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Abuse Elevated Credentials Persistence T1505.003 Web Shell Persistence

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

Grav RCE via Malicious Plugin Upload - CVE-2026-42607

Sigma YAML — free preview 
title: Grav RCE via Malicious Plugin Upload - CVE-2026-42607
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
  Detects the specific Grav admin panel endpoint used for direct plugin installation when a POST request is made, indicating an attempt to upload a plugin. This rule targets the initial access vector of CVE-2026-42607 by looking for the specific URL path and method used to upload plugins, which is exploited by uploading a malicious ZIP file.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42607/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/admin/plugins/direct-install/step'
      cs-method:
          - 'POST'
      sc-status:
          - '302'
  selection_payload:
      cs-uri-query|contains:
          - 'zip'
  condition: selection AND selection_payload
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42607 RCE Grav web platform
CVE-2026-42607 RCE Grav versions prior to 2.0.0-beta.2
CVE-2026-42607 RCE Authenticated user with administrative privileges
CVE-2026-42607 RCE Uploading specially crafted ZIP file via 'Direct Install' tool
CVE-2026-42607 RCE Failure to inspect contents of uploaded ZIP archives

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 11, 2026 at 19:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

OpenClaw Improper Authentication: CVE-2026-8305 Publicly Exploitable

CVE-2026-8305 — A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component...

vulnerabilityCVEhigh-severitycwe-287
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 2 Sigma

OpenClaw Improper Access Control Bypasses Denylist, Allows Persistent Malicious Configs

CVE-2026-45006 — OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write...

vulnerabilityCVEhigh-severityimproper-access-controlcwe-184
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

OpenClaw RCE: Arbitrary Code Execution via Plugin Setup Resolver

CVE-2026-45004 — OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup...

vulnerabilityCVEhigh-severitycode-executioncwe-427
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 5 IOCs /⚙ 3 Sigma