Skip to main content

Grav Flex-Objects EUVDEUVD-2026-45081

| CVE-2026-62235 LOW
Missing Authorization (CWE-862)
2026-07-17 VulnCheck GHSA-gv8p-326f-p8gj
2.3
CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.0 MEDIUM

AC:H reflects the AT:P condition (permission-less directories must exist); PR:L reflects mandatory api.access authentication; no scope change applies.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 17, 2026 - 02:32 EUVD
Analysis Generated
Jul 17, 2026 - 01:02 vuln.today

DescriptionCVE.org

Grav Flex-Objects before version 1.4.3 contains a broken access control vulnerability in the admin-next REST API that allows authenticated users with only api.access permission to perform unauthorized CRUD operations on permission-less directories. Attackers with api.access credentials can create, read, update, delete, and export objects from any directory lacking an explicit permissions configuration, bypassing intended authorization controls.

AnalysisAI

Broken access control in Grav Flex-Objects before 1.4.3 permits authenticated users holding only the api.access permission to perform full CRUD operations on directories lacking explicit permission configurations via the admin-next REST API. The vulnerability bypasses intended authorization controls (CWE-862) because the REST API fails to enforce object-level permission checks when no explicit policy is defined for a directory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain api.access credentials
Delivery
Enumerate Flex-Objects directories via REST API
Exploit
Identify permission-less directories (AT:P condition)
Execution
Issue unauthorized CRUD/export requests
Impact
Exfiltrate or manipulate CMS object data

Vulnerability AssessmentAI

Exploitation Exploitation requires two simultaneous conditions: (1) the attacker must possess valid credentials with at minimum the api.access permission - unauthenticated exploitation is not possible (PR:L in CVSS 4.0); and (2) the target Grav installation must contain one or more Flex-Objects directories that lack an explicit permissions configuration (the AT:P attack requirement). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.3 (Low) reflects a narrow-impact, conditionally exploitable flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained valid api.access credentials - for example, through credential reuse, a compromised API token, or a low-privilege account provisioned for integration purposes - sends crafted REST API requests to the admin-next endpoint targeting directories that have no explicit permission policy defined. Because no authorization check is enforced for those directories, the attacker can enumerate, read, create, update, delete, or export Flex-Objects content they are not intended to access. …
Remediation Upgrade Grav Flex-Objects to version 1.4.3 or later, which is the vendor-released patch as confirmed by the GitHub security advisory at https://github.com/getgrav/grav/security/advisories/GHSA-23vq-365v-qcmh. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Grav

View all
CVE-2025-66294 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists

CVE-2025-66301 CRITICAL POC
9.6 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical

CVE-2025-50286 HIGH POC
8.1 Aug 06

A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plug

CVE-2024-34082 CRITICAL POC
9.9 May 15

Grav is a file-based Web platform. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low a

CVE-2021-47812 CRITICAL POC
9.8 Jan 16

GravCMS 1.10.7 allows unauthenticated remote attackers to write arbitrary YAML configuration files, leading to full serv

CVE-2025-66297 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or e

CVE-2025-66299 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (S

CVE-2024-28119 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28118 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28117 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28116 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-27921 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

Share

EUVD-2026-45081 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy