Security: registration privilege strip + Grav 2.0 nonce-key bridge

- GHSA-pxm6-mhxr-q4mj (critical, unauth): the registration form handler
  now ignores client-supplied `groups` and `access` even if an admin
  added them to user_registration.fields, preventing self-registration
  as super-admin. Logs a warning on any attempted injection. Server-side
  default_values, invitations and the user_registration.{groups,access}
  config remain authoritative.

- IP pseudonymization (rate-limit keys, remember-me cookie salt) now
  uses Security::getNonceKey() when running on Grav 2.0+, falling back
  to the legacy security.salt config read on Grav 1.7. Tracks Grav 2.0's
  GHSA-3f29-pqwf-v4j4 fix without breaking 1.7 compatibility.

Author: rhukster

CHANGELOG.md

@@ -1,3 +1,11 @@
+# v3.8.2
+## 04/23/2026
+
+1. [](#bugfix)
+   * [security] Fixed unauthenticated privilege escalation in `Login::register` (GHSA-pxm6-mhxr-q4mj): if an admin added `groups` or `access` to `user_registration.fields`, an attacker could self-register as super-admin by POSTing those values. Registration form input for those fields is now ignored with a log warning; server-side config, `default_values`, and invitations remain authoritative.
+2. [](#improved)
+   * IP pseudonymization (rate-limit keys, remember-me cookie salt) now uses `Security::getNonceKey()` when running on Grav 2.0+, and continues to read `security.salt` from config on Grav 1.7. Tracks Grav 2.0's GHSA-3f29-pqwf-v4j4 remediation (HMAC key is no longer reachable via sandboxed Twig).
+
 # v3.8.1
 ## 04/17/2026
 

classes/Login.php

@@ -19,6 +19,7 @@
 use Grav\Common\Page\Interfaces\PageInterface;
 use Grav\Common\Page\Page;
 use Grav\Common\Page\Pages;
+use Grav\Common\Security;
 use Grav\Common\Session;
 use Grav\Common\User\Interfaces\UserCollectionInterface;
 use Grav\Common\User\Interfaces\UserInterface;
@@ -349,8 +350,13 @@ public function getIpKey(?string $ip = null): string
         $isIPv4 = filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4);
         $ipKey = $isIPv4 ? $ip : Utils::getSubnet($ip, $this->grav['config']->get('plugins.login.ipv6_subnet_size'));
 
-        // Pseudonymization of the IP
-        return sha1($ipKey . $this->grav['config']->get('security.salt'));
+        // Pseudonymization of the IP. Grav 2.0 moved the HMAC key out of Config
+        // (GHSA-3f29-pqwf-v4j4); fall back to the legacy key on Grav 1.7.
+        $key = method_exists(Security::class, 'getNonceKey')
+            ? Security::getNonceKey()
+            : (string) $this->grav['config']->get('security.salt');
+
+        return sha1($ipKey . $key);
     }
 
     /**
@@ -581,9 +587,13 @@ public function rememberMe($var = null)
             $this->rememberMe->setExpireTime($timeout);
 
             // Hardening cookies with user-agent and random salt or
-            // fallback to use system based cache key
+            // fallback to use system based cache key. Grav 2.0 moved the HMAC key
+            // out of Config (GHSA-3f29-pqwf-v4j4); use it when available.
             $server_agent = $_SERVER['HTTP_USER_AGENT'] ?? 'unknown';
-            $data = $server_agent . $config->get('security.salt', $this->grav['cache']->getKey());
+            $saltKey = method_exists(Security::class, 'getNonceKey')
+                ? Security::getNonceKey()
+                : (string) $config->get('security.salt', $this->grav['cache']->getKey());
+            $data = $server_agent . $saltKey;
             $this->rememberMe->setSalt(hash('sha512', $data));
 
             // Set cookie with correct base path of Grav install

login.php

@@ -1023,6 +1023,13 @@ private function processUserRegistration(FormInterface $form, Event $event): voi
 
         $fields = (array)$this->config->get('plugins.login.user_registration.fields', []);
 
+        // Privilege fields must never be sourced from public registration form input —
+        // honoring attacker-supplied values would grant instant super-admin even if an
+        // administrator mistakenly added them to `user_registration.fields`
+        // (GHSA-pxm6-mhxr-q4mj). Server-side `default_values`, invitations, and the
+        // `plugins.login.user_registration.{groups,access}` config remain authoritative.
+        $privilegeFields = ['groups', 'access'];
+
         foreach ($fields as $field) {
             // Process value of field if set in the page process.register_user
             $default_values = (array)$this->config->get('plugins.login.user_registration.default_values');
@@ -1040,6 +1047,17 @@ private function processUserRegistration(FormInterface $form, Event $event): voi
                 }
             }
 
+            if (in_array($field, $privilegeFields, true)) {
+                if ($form_data->get($field) !== null) {
+                    $this->grav['log']->warning(sprintf(
+                        'Login registration: ignored client-supplied "%s" from form submission (username=%s)',
+                        $field,
+                        is_string($username) ? $username : '<invalid>'
+                    ));
+                }
+                continue;
+            }
+
             if (!isset($data[$field]) && $form_data->get($field)) {
                 $data[$field] = $form_data->get($field);
             }