CVE-2026-56700: Grav - Multiple Remote Code Execution Vulnerabilities via Unsafe Unserialize and Command Injection
Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls - in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session - deserialize untrusted data without restricting allowed classes, enabling PHP object injection and, via a gadget chain, arbitrary code execution where an attacker controls the serialized input. Additionally, InstallCommand's git clone operation passes the branch, url, and path parameters into a shell command without escaping, allowing OS command injection via plugin/theme installation (which requires admin access). A Twig security blocklist bypass (server-side template injection) is also present. The issues are fixed in 2.0.0-beta.2.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- 2.0.0-beta.2
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Multiple remote code execution vulnerabilities affect Grav CMS before version 2.0.0-beta.2, including unsafe PHP deserialization in three components (Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session), an OS command injection flaw in the InstallCommand git clone operation, and a Twig server-side template injection bypass. The deserialization paths are reachable over the network with no authentication required, and successful exploitation gives an attacker arbitrary code execution on the host. A patched-image rebuild at 2.0.0-beta.2 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection capability for CVE-2026-56700 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage extends to custom-built images that bundle Grav, so internally maintained containers are not excluded from matching.
AvailableTriage is available with the full CVSS v4.0 score of 9.3 (Critical) applied automatically, weighted further by each customer organization's compliance policy to prioritize routing. Alerts are directed to the appropriate team inbox within each customer org based on workload ownership rules configured in HarborGuard.
AvailableA patched-image rebuild targeting Grav 2.0.0-beta.2 is available for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable deserialization endpoints are exposed over the network, so an attacker must be able to reach the service via HTTP/HTTPS to deliver a malicious payload.
- AuthenticationNot required
The deserialization vulnerabilities require no credentials; the command injection via InstallCommand does require admin access, but the primary RCE paths are unauthenticated.
- Victim interactionNot required
No user action or social engineering is needed; the attacker sends a crafted request directly to the application.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other hard-to-control environmental factors.
Blast Radius
- Executes arbitrary OS commands or PHP code under the web server process, giving the attacker a foothold on the host.
- Reads any file accessible to the web server user, including application secrets, database credentials, and session data.
- Writes or overwrites files on the server, enabling persistent backdoors or defacement of served content.
- Crashes or disrupts the Grav application and any co-located services sharing the same container or process namespace.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-56700 is active across all customer environments, matching against both pulled and custom-built images that include Grav. Given the Critical CVSS v4.0 score of 9.3 and the zero-authentication RCE exposure, this issue is surfaced at the highest priority tier. For customers who opt into auto-remediation, HarborGuard can rebuild the affected image at Grav 2.0.0-beta.2, run regression tests against the rebuilt image, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the triage alert includes the fix version, affected component list, and a direct link to the upstream changelog. Customers who cannot immediately upgrade are encouraged to apply network-policy controls that restrict which sources can reach Grav's HTTP endpoints, and to audit any admin accounts with access to plugin or theme installation to limit the command injection surface.
Fix available
- Grav / Grav< 2.0.0-beta.2 (from 0)Fixed in 2.0.0-beta.2
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N