CVE-2026-62231

getgrav · grav (Grav API plugin)

The Grav API plugin is affected by an incorrect authorization vulnerability that allows authenticated users to bypass API key scope restrictions.

Executive summary

An authorization bypass vulnerability in the Grav API plugin allows authenticated users to exceed their assigned access scopes, potentially leading to unauthorized data exposure.

Vulnerability

This vulnerability (CWE-863) exists in the API key authentication mechanism of the Grav API plugin. It requires a user to be authenticated, but allows them to bypass the intended scope restrictions associated with their API key.

Business impact

By bypassing scope restrictions, an authenticated user could access or modify data they are not authorized to interact with. With a CVSS score of 8.1, this vulnerability poses a significant risk to data confidentiality and integrity, particularly in environments where multiple users share API access.

Remediation

Immediate Action: Update the Grav API plugin to version 1.0.6 or later to enforce correct authorization scoping.

Proactive Monitoring: Review API access logs to identify users or service accounts accessing endpoints or data outside of their typical operational scope.

Compensating Controls: Audit all active API keys and restrict the privileges associated with them to the minimum necessary level until the update is applied.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

Although this vulnerability requires authentication, the potential for privilege escalation within the API is significant. All Grav users should update the API plugin to version 1.0.6 immediately to ensure that scope-based access controls are correctly enforced.