CVE-2026-62233

getgrav · grav

The Grav CMS API is vulnerable to privilege escalation due to missing authorization checks in its API key creation mechanism.

Executive summary

A critical privilege escalation vulnerability in the Grav CMS API allows authenticated users to gain unauthorized administrative access, posing a severe risk to site security.

Vulnerability

This is an authorization bypass (CWE-639) and missing authorization (CWE-862) flaw. The vulnerability allows a low-privileged authenticated user to manipulate API key creation, resulting in full unauthorized access.

Business impact

An attacker who successfully exploits this vulnerability can gain administrative privileges, leading to full control over the Grav CMS instance. With a CVSS score of 8.8, the potential for data theft, site defacement, or total system compromise is extreme.

Remediation

Immediate Action: Update the grav-plugin-api to version 1.0.6 or later immediately.

Proactive Monitoring: Review API key creation logs and audit user privilege changes to identify any anomalous administrative account activity.

Compensating Controls: Restrict access to the API endpoints to known, trusted IP addresses using a WAF or server-level firewall until the patch is applied.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

This vulnerability represents a critical threat to the security of any Grav CMS installation. Administrators are urged to apply the provided fix immediately to prevent the escalation of privileges and potential site takeover.