CVE-2026-61451
getgrav · grav
The Grav API plugin is vulnerable to an open redirect during password reset, allowing attackers to hijack reset tokens and perform full account takeover.
Executive summary
A critical vulnerability in the Grav API plugin permits unauthenticated attackers to hijack user password reset flows, leading to full account takeover.
Vulnerability
The API endpoint fails to validate the host origin for password reset links, enabling an unauthenticated attacker to redirect the reset token to an attacker-controlled server, thereby capturing the token and gaining unauthorized access.
Business impact
The ability for an attacker to perform full account takeover, including administrative accounts, creates a severe risk to the confidentiality and integrity of the entire Grav installation. Given the 9.6 CVSS score, this vulnerability could result in total compromise of site data and user information.
Remediation
Immediate Action: Update the Grav API plugin to version 1.0.4 or later to implement correct origin validation.
Proactive Monitoring: Audit password reset logs for unusual request patterns or redirects to unexpected hostnames.
Compensating Controls: Implement strict Content Security Policy (CSP) headers and monitor for unauthorized outbound traffic from the application server.
Exploitation status
Public Exploit Available: No.
Analyst recommendation
This vulnerability is critical due to the potential for complete account takeover. Security teams must ensure the API plugin is updated to 1.0.4 immediately to prevent token harvesting and unauthorized access.