Grav CMS Backup Endpoint Exposes Admin Password Hashes and Full Installation

The backup download endpoint in Grav CMS allows an authenticated administrator with backup permissions to download a ZIP archive containing the entire Grav installation root, including user/accounts/admin.yaml (with bcrypt password hash and email) and user/config/ (site configuration). The endpoint only requires the session-static admin-nonce in the URL, lacks a CSRF token, and exposes the server's full filesystem path in a Base64-encoded query parameter.

Grav CMS instances where an attacker can obtain a single admin-nonce value (via Referrer leakage, browser history, or XSS) and then exfiltrate password hashes for offline cracking, leading to account takeover.

Apply the vendor-supplied patch or update to the latest version that fixes the backup scope and nonce validation. If not available, restrict backup permissions to only trusted administrators and consider additional CSRF protections.