← Back

CVE-2026-42843

nvd nist
Published: May 11, 2026Modified: May 27, 2026

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: security-advisories@github.com (Secondary)

Description

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.

Affected (14)

Getgrav
1 product
Grav Plugin Api
Configuration A
14 vulnerable
Vulnerable SoftwareAffected Versions
Getgrav
Grav Plugin Api
Version 1.0.0 beta10
Grav Plugin Api
Version 1.0.0 beta11
Grav Plugin Api
Version 1.0.0 beta12
Grav Plugin Api
Version 1.0.0 beta13
Grav Plugin Api
Version 1.0.0 beta14
Grav Plugin Api
Version 1.0.0 beta1
Grav Plugin Api
Version 1.0.0 beta2
Grav Plugin Api
Version 1.0.0 beta3
Grav Plugin Api
Version 1.0.0 beta4
Grav Plugin Api
Version 1.0.0 beta5
Grav Plugin Api
Version 1.0.0 beta6
Grav Plugin Api
Version 1.0.0 beta7
Grav Plugin Api
Version 1.0.0 beta8
Grav Plugin Api
Version 1.0.0 beta9

Related CWEs

CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

Source: security-advisories@github.com
ExploitVendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
ExploitVendor Advisory

Timeline

No history available yet.