Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-62232— Grav < 2.0.4 2FA Bypass via Secret Regeneration

CVSS 7.4 · High
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-62232

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Grav < 2.0.4 2FA Bypass via Secret Regeneration
Source: NVD (National Vulnerability Database)
Vulnerability Description
Grav before 2.0.4 contains a two-factor authentication bypass vulnerability in the login plugin where the regenerate2FASecret task checks only user existence, not authorization, during the pending TOTP challenge window. Attackers who know the victim's password can call this task without a CSRF nonce to overwrite the 2FA secret with an attacker-chosen value, compute a valid TOTP code, and complete authentication while reducing 2FA to password-only protection.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
getgravgrav 0 ~ 2.0.4 -

II. Public POCs for CVE-2026-62232

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 8571 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-62232

登录查看更多情报信息。

Vendor Advisories for CVE-2026-62232 (2)

Same Patch Batch · getgrav · 2026-07-17 · 10 CVEs total

CVE-2026-622338.8 HIGHgrav-plugin-api < 1.0.6 Privilege Escalation via createApiKey
CVE-2026-622348.1 HIGHGrav < 2.0.4 SSRF via Unrestricted cURL Protocols
CVE-2026-622318.1 HIGHGrav < 1.0.6 API Key Scope Bypass via ApiKeyAuthenticator
CVE-2026-623867.5 HIGHGrav < 1.0.0-rc.16 Authentication Bypass via token URL Parameter
CVE-2026-622307.5 HIGHGrav < 2.0.4 File Access Bypass via Case Variation
CVE-2026-623877.1 HIGHGrav < 1.0.0-rc.16 CORS Misconfiguration via API Plugin
CVE-2026-622376.5 MEDIUMGrav < 2.0.4 ReDoS via regex_replace in Sandbox
CVE-2026-622356.3 MEDIUMGrav Flex-Objects < 1.4.3 Authorization Bypass via API
CVE-2026-622365.4 MEDIUMgrav-plugin-login < 3.8.11 CSRF via regenerate2FASecret

IV. Related Vulnerabilities

V. Comments for CVE-2026-62232

No comments yet


Leave a comment