Skip to main content

Grav API plugin CVE-2026-62231

| EUVDEUVD-2026-45119 HIGH
Incorrect Authorization (CWE-863)
2026-07-17 VulnCheck GHSA-q7w3-h9x7-95x7
8.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Attacker needs a valid but low-scope API key (PR:L) reachable over the network (AV:N/AC:L); bypass yields full read/write on the owner's data (C:H/I:H) with no availability loss (A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 17, 2026 - 02:32 EUVD
Analysis Generated
Jul 17, 2026 - 00:54 vuln.today
CVE Published
Jul 17, 2026 - 00:07 cve.org
HIGH 8.6

DescriptionCVE.org

The Grav API plugin (getgrav/grav-plugin-api) before 1.0.6 contains an authorization bypass: API keys can be created with a restricted scopes array, but the ApiKeyAuthenticator class never reads or enforces these scopes. It loads and returns the owning user's full account object, so a key created with limited scopes (e.g. read-only) can perform any write, delete, or administrative operation the owning user is authorized for. Fixed in 1.0.6.

AnalysisAI

Authorization bypass in the Grav API plugin (getgrav/grav-plugin-api) before 1.0.6 lets any valid API key perform actions far beyond its intended scope. Although keys can be provisioned with a restricted scopes array (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain restricted-scope API key
Delivery
Send write/delete/admin API request
Exploit
Authenticator loads full user account
Execution
Scope check skipped
Impact
Execute unauthorized operation

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess a valid Grav API plugin key of any scope on a version before 1.0.6 - this is the PR:L authenticated prerequisite from the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 score of 8.6 (High) with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N reflects a network-reachable, low-complexity flaw requiring only low privileges (a valid but restricted API key) and no user interaction, yielding high confidentiality and integrity impact with no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An organization issues a contractor a read-only Grav API key to pull content. Because ApiKeyAuthenticator ignores the scopes array and grants the owning user's full permissions, the contractor simply sends write, delete, or admin API requests with that same key and they succeed. …
Remediation Vendor-released patch: upgrade the Grav API plugin to version 1.0.6 or later, which corrects ApiKeyAuthenticator to read and enforce the key's scopes; this is the primary and complete fix per advisory GHSA-x7hm-jc32-v39j. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all issued API keys and restrict their distribution to only critical applications; disable any unused keys immediately and document the intended scope of remaining keys. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Grav

View all
CVE-2025-66294 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists

CVE-2025-66301 CRITICAL POC
9.6 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical

CVE-2025-50286 HIGH POC
8.1 Aug 06

A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plug

CVE-2024-34082 CRITICAL POC
9.9 May 15

Grav is a file-based Web platform. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low a

CVE-2021-47812 CRITICAL POC
9.8 Jan 16

GravCMS 1.10.7 allows unauthenticated remote attackers to write arbitrary YAML configuration files, leading to full serv

CVE-2025-66297 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or e

CVE-2025-66299 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (S

CVE-2024-28119 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28118 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28117 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28116 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-27921 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

Share

CVE-2026-62231 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy