CVE-2026-42843

Grav · Grav API Plugin

An incorrect authorization vulnerability in the Grav API Plugin allows unauthorized users to perform actions exceeding their intended permissions.

Executive summary

The Grav API Plugin is susceptible to an authorization bypass vulnerability, potentially allowing unauthorized access to sensitive site configuration and user data.

Vulnerability

This is an authorization flaw (CWE-863) within the RESTful API component. It allows an attacker to interact with site content, media, and system management functions without proper validation of user privileges.

Business impact

With a CVSS score of 8.8, this vulnerability presents a high risk of total system compromise. Unauthorized access to the Grav CMS through the API could result in data exfiltration, unauthorized modification of site configuration, and potential takeover of administrative accounts.

Remediation

Immediate Action: Upgrade the Grav API Plugin to version 1.0.0-beta.15 or later immediately to resolve the authorization logic error.

Proactive Monitoring: Audit API access logs for unauthorized attempts to access administrative endpoints or system configuration files.

Compensating Controls: Restrict access to the API endpoints via IP whitelisting or disable the API plugin entirely if it is not required for current site operations.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Administrators must verify their current plugin version and apply the update immediately. Given that this vulnerability allows for total system impact, failure to patch could lead to a complete compromise of the CMS.