Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H because a valid token must first leak into a log/Referer/proxy the attacker can read; PR:N since the captured token needs no prior privilege, and C:H/I:H reflect full admin read plus account/settings/page modification.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 accepts JWT access tokens through the ?token= URL query parameter on every API route (JwtAuthenticator::extractBearerToken fallback). Because tokens are embedded in URLs, they are logged verbatim in web server access logs, leaked via the Referer header, stored in browser history, and captured by upstream proxy and CDN logs, exposing valid admin access tokens. A leaked token grants unauthorized API access, including reading configuration and user data, creating admin accounts, modifying system settings, and deleting pages.
AnalysisAI
Sensitive token exposure in the Grav CMS API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 allows attackers to hijack valid admin sessions after JWT access tokens leak from URLs. Because JwtAuthenticator::extractBearerToken accepts tokens via the ?token= query string on every API route, those tokens are written verbatim into web server access logs, Referer headers, browser history, and upstream proxy/CDN logs, and any captured token grants full admin API access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a valid Grav API JWT actually be transmitted in the ?token= URL query parameter (the JwtAuthenticator::extractBearerToken fallback) and that the attacker can then read it from one of the leak channels named in the advisory: web server access logs, the Referer header, browser history, or upstream proxy/CDN logs. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H) rates this 8.2 High, and the key nuance is AT:P - attack requirements are present, meaning exploitation is not a single self-contained request but depends on a valid admin token first being emitted in a URL and then captured from a log, Referer chain, proxy, or CDN the attacker can read. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An admin or automation client calls a Grav API route as https://site/api/…?token=<JWT>; that full URL is recorded in the site's Nginx access log and forwarded in the Referer header and CDN logs. An attacker with read access to any of those log stores (or a shared upstream proxy) lifts the still-valid token and replays it against the API to create a new admin account or dump configuration. … |
| Remediation | Vendor-released patch: upgrade the Grav API plugin to 1.0.0-rc.16 or later, which removes the ?token= query-parameter fallback so tokens are only accepted in the Authorization header (see GHSA-4hpj-wmpw-ghwq). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Grav CMS instances running the API plugin and determine which are using versions before 1.0.0-rc.16. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical
A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plug
Grav is a file-based Web platform. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low a
GravCMS 1.10.7 allows unauthenticated remote attackers to write arbitrary YAML configuration files, leading to full serv
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or e
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (S
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45086
GHSA-cx27-6j8x-h4h6