Skip to main content

Grav API Plugin EUVDEUVD-2026-45121

| CVE-2026-62233 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-17 VulnCheck GHSA-qrm9-ppgh-qwm9
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network REST endpoints (AV:N) with simple calls (AC:L) but requiring a real api.users.write manager account (PR:L); super-admin takeover yields full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 17, 2026 - 02:32 EUVD
Analysis Generated
Jul 17, 2026 - 00:53 vuln.today
CVE Published
Jul 17, 2026 - 00:07 cve.org
HIGH 8.7

DescriptionCVE.org

grav-plugin-api before 1.0.6 fails to validate super-admin status in createApiKey, generate2fa, and disable2fa endpoints, allowing non-super api.users.write managers to escalate to super-admin. Attackers can mint API keys bound to super-admin accounts or strip 2FA from super-admin users to achieve full instance takeover.

AnalysisAI

Privilege escalation in the getgrav grav-plugin-api before 1.0.6 allows a low-privileged manager holding the api.users.write permission to become a super-admin. The createApiKey, generate2fa, and disable2fa endpoints never re-check super-admin status, so an attacker can mint API keys bound to super-admin accounts or strip 2FA from super-admin users and take over the entire Grav instance. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as api.users.write manager
Delivery
Call createApiKey/disable2fa on super-admin
Exploit
Mint super-admin key or strip 2FA
Execution
Assume super-admin session
Impact
Full Grav instance takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Grav account holding the api.users.write manager permission on an instance running grav-plugin-api before 1.0.6 with the API plugin enabled and network-reachable; the attacker then invokes the createApiKey, generate2fa, or disable2fa endpoints against a super-admin target. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H, base 8.7) describes a network-reachable, low-complexity attack that requires an authenticated low-privilege account and no user interaction, with high confidentiality, integrity, and availability impact on the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a non-super manager account carrying the api.users.write permission (via insider access, phishing, or credential reuse) sends an authenticated API request to createApiKey specifying a super-admin account and receives a key granting full super-admin control. Alternatively they call disable2fa against a super-admin to strip that user's second factor and ease account takeover. …
Remediation Upgrade grav-plugin-api to version 1.0.6 or later, which adds the missing super-admin validation to the createApiKey, generate2fa, and disable2fa endpoints (Vendor-released patch: 1.0.6); see https://github.com/getgrav/grav/security/advisories/GHSA-8gg4-rvvv-cq96. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all users with api.users.write permission and immediately revoke access from any low-trust accounts or those without active API administration duties; document the audit findings. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Grav

View all
CVE-2025-66294 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists

CVE-2025-66301 CRITICAL POC
9.6 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical

CVE-2025-50286 HIGH POC
8.1 Aug 06

A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plug

CVE-2024-34082 CRITICAL POC
9.9 May 15

Grav is a file-based Web platform. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low a

CVE-2021-47812 CRITICAL POC
9.8 Jan 16

GravCMS 1.10.7 allows unauthenticated remote attackers to write arbitrary YAML configuration files, leading to full serv

CVE-2025-66297 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or e

CVE-2025-66299 HIGH POC
8.8 Dec 01

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (S

CVE-2024-28119 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28118 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28117 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-28116 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

CVE-2024-27921 HIGH POC
8.8 Mar 21

Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot

Share

EUVD-2026-45121 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy