Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network REST endpoints (AV:N) with simple calls (AC:L) but requiring a real api.users.write manager account (PR:L); super-admin takeover yields full C/I/A impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
grav-plugin-api before 1.0.6 fails to validate super-admin status in createApiKey, generate2fa, and disable2fa endpoints, allowing non-super api.users.write managers to escalate to super-admin. Attackers can mint API keys bound to super-admin accounts or strip 2FA from super-admin users to achieve full instance takeover.
AnalysisAI
Privilege escalation in the getgrav grav-plugin-api before 1.0.6 allows a low-privileged manager holding the api.users.write permission to become a super-admin. The createApiKey, generate2fa, and disable2fa endpoints never re-check super-admin status, so an attacker can mint API keys bound to super-admin accounts or strip 2FA from super-admin users and take over the entire Grav instance. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Grav account holding the api.users.write manager permission on an instance running grav-plugin-api before 1.0.6 with the API plugin enabled and network-reachable; the attacker then invokes the createApiKey, generate2fa, or disable2fa endpoints against a super-admin target. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H, base 8.7) describes a network-reachable, low-complexity attack that requires an authenticated low-privilege account and no user interaction, with high confidentiality, integrity, and availability impact on the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a non-super manager account carrying the api.users.write permission (via insider access, phishing, or credential reuse) sends an authenticated API request to createApiKey specifying a super-admin account and receives a key granting full super-admin control. Alternatively they call disable2fa against a super-admin to strip that user's second factor and ease account takeover. … |
| Remediation | Upgrade grav-plugin-api to version 1.0.6 or later, which adds the missing super-admin validation to the createApiKey, generate2fa, and disable2fa endpoints (Vendor-released patch: 1.0.6); see https://github.com/getgrav/grav/security/advisories/GHSA-8gg4-rvvv-cq96. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all users with api.users.write permission and immediately revoke access from any low-trust accounts or those without active API administration duties; document the audit findings. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical
A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plug
Grav is a file-based Web platform. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low a
GravCMS 1.10.7 allows unauthenticated remote attackers to write arbitrary YAML configuration files, leading to full serv
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a user with admin panel access and permissions to create or e
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, Grav CMS is vulnerable to a Server-Side Template Injection (S
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Grav is an open-source, flat-file content management system. Rated high severity (CVSS 8.8), this vulnerability is remot
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45121
GHSA-qrm9-ppgh-qwm9