HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-56700Published Modified CNA VulnCheck

CVE-2026-56700: Grav - Multiple Remote Code Execution Vulnerabilities via Unsafe Unserialize and Command Injection

Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls - in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session - deserialize untrusted data without restricting allowed classes, enabling PHP object injection and, via a gadget chain, arbitrary code execution where an attacker controls the serialized input. Additionally, InstallCommand's git clone operation passes the branch, url, and path parameters into a shell command without escaping, allowing OS command injection via plugin/theme installation (which requires admin access). A Twig security blocklist bypass (server-side template injection) is also present. The issues are fixed in 2.0.0-beta.2.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
2.0.0-beta.2
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Multiple remote code execution vulnerabilities affect Grav CMS before version 2.0.0-beta.2, including unsafe PHP deserialization in three components (Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session), an OS command injection flaw in the InstallCommand git clone operation, and a Twig server-side template injection bypass. The deserialization paths are reachable over the network with no authentication required, and successful exploitation gives an attacker arbitrary code execution on the host. A patched-image rebuild at 2.0.0-beta.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-56700 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage extends to custom-built images that bundle Grav, so internally maintained containers are not excluded from matching.

Available
Triage

Triage is available with the full CVSS v4.0 score of 9.3 (Critical) applied automatically, weighted further by each customer organization's compliance policy to prioritize routing. Alerts are directed to the appropriate team inbox within each customer org based on workload ownership rules configured in HarborGuard.

Available
Patch

A patched-image rebuild targeting Grav 2.0.0-beta.2 is available for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable deserialization endpoints are exposed over the network, so an attacker must be able to reach the service via HTTP/HTTPS to deliver a malicious payload.

  • AuthenticationNot required

    The deserialization vulnerabilities require no credentials; the command injection via InstallCommand does require admin access, but the primary RCE paths are unauthenticated.

  • Victim interactionNot required

    No user action or social engineering is needed; the attacker sends a crafted request directly to the application.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other hard-to-control environmental factors.

Blast Radius

  • Executes arbitrary OS commands or PHP code under the web server process, giving the attacker a foothold on the host.
  • Reads any file accessible to the web server user, including application secrets, database credentials, and session data.
  • Writes or overwrites files on the server, enabling persistent backdoors or defacement of served content.
  • Crashes or disrupts the Grav application and any co-located services sharing the same container or process namespace.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-56700 is active across all customer environments, matching against both pulled and custom-built images that include Grav. Given the Critical CVSS v4.0 score of 9.3 and the zero-authentication RCE exposure, this issue is surfaced at the highest priority tier. For customers who opt into auto-remediation, HarborGuard can rebuild the affected image at Grav 2.0.0-beta.2, run regression tests against the rebuilt image, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the triage alert includes the fix version, affected component list, and a direct link to the upstream changelog. Customers who cannot immediately upgrade are encouraged to apply network-policy controls that restrict which sources can reach Grav's HTTP endpoints, and to audit any admin accounts with access to plugin or theme installation to limit the command injection surface.

See how HarborGuard automates this

Fix available

2.0.0-beta.2
Affected packages
  • Grav / Grav
    < 2.0.0-beta.2 (from 0)
    Fixed in 2.0.0-beta.2
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N