CVE-2026-62230

Summary

Grav before 2.0.4 ships a default .htaccess (and reference webserver-configs/htaccess.txt) whose rules blocking access to sensitive file types (.yaml, .php, .json, etc.) lack the [NC] flag, making extension matching case-sensitive. On case-insensitive filesystems (Windows/NTFS, macOS/HFS+, or Docker volume mounts), an unauthenticated attacker can request these files with uppercase or mixed-case extensions (e.g., .YAML, .PHP) to bypass the restrictions and read sensitive configuration files that may contain API keys and credentials.

Affected Software

VendorProductVersion RangeStatus
getgravgrav0 < 2.0.4affected
getgravgrav2.0.4unaffected

Weaknesses

  • CWE-178: Improper Handling of Case Sensitivity

References