Description
Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.
Published: 2026-05-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Grav API Plugin contains an insecure direct object reference in the UsersController::update method. Before version 1.0.0-beta.15 any authenticated user with basic API access can alter their permission configuration. This flaw permits an attacker to elevate privileges to Super Administrator, granting unrestricted control over the site and the possibility to execute code on the server.

Affected Systems

The vulnerability affects the Grav API Plugin provided by getgrav. All installations running the Grav API Plugin prior to 1.0.0-beta.15 are susceptible, regardless of Grav CMS version.

Risk and Exploitability

The CVSS score of 8.8 places the issue in the high severity range. Exploitation requires authentication and API access, but no additional conditions are listed. EPSS is not available, and the vulnerability is not in the CISA KEV catalog. An attacker can exploit the flaw remotely if they have any authenticated API session, making it a significant risk for sites exposing the API.

Generated by OpenCVE AI on May 11, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Grav API Plugin to version 1.0.0-beta.15 or later.
  • Restrict the api.access permission to trusted users or disable it entirely if the API is not required.
  • Disable or remove the Grav API Plugin if headless functionality is unnecessary.

Generated by OpenCVE AI on May 11, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r945-h4vm-h736 Grav API Privilege Escalation to Super Admin
History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Getgrav
Getgrav grav-plugin-api
Vendors & Products Getgrav
Getgrav grav-plugin-api

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.
Title grav-plugin-api: Grav API Privilege Escalation to Super Admin
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Getgrav Grav-plugin-api
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T19:06:51.035Z

Reserved: 2026-04-30T16:44:48.376Z

Link: CVE-2026-42843

cve-icon Vulnrichment

Updated: 2026-05-11T18:51:16.359Z

cve-icon NVD

Status : Received

Published: 2026-05-11T17:16:34.013

Modified: 2026-05-11T20:25:42.893

Link: CVE-2026-42843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:23:03Z

Weaknesses