CVE-2026-61451

getgrav · grav

The Grav API plugin is vulnerable to an open redirect during password reset, allowing attackers to hijack reset tokens and perform full account takeover.

Executive summary

A critical vulnerability in the Grav API plugin permits unauthenticated attackers to hijack user password reset flows, leading to full account takeover.

Vulnerability

The API endpoint fails to validate the host origin for password reset links, enabling an unauthenticated attacker to redirect the reset token to an attacker-controlled server, thereby capturing the token and gaining unauthorized access.

Business impact

The ability for an attacker to perform full account takeover, including administrative accounts, creates a severe risk to the confidentiality and integrity of the entire Grav installation. Given the 9.6 CVSS score, this vulnerability could result in total compromise of site data and user information.

Remediation

Immediate Action: Update the Grav API plugin to version 1.0.4 or later to implement correct origin validation.

Proactive Monitoring: Audit password reset logs for unusual request patterns or redirects to unexpected hostnames.

Compensating Controls: Implement strict Content Security Policy (CSP) headers and monitor for unauthorized outbound traffic from the application server.

Exploitation status

Public Exploit Available: No.

Analyst recommendation

This vulnerability is critical due to the potential for complete account takeover. Security teams must ensure the API plugin is updated to 1.0.4 immediately to prevent token harvesting and unauthorized access.