No analysis available yet.
No remediation available yet.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 15 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 12:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Grav API plugin (getgrav/grav-plugin-api) before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti (JWT ID) claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime (default 1 hour) regardless of logout, password change, new token issuance, or account disablement. An attacker who has stolen an access token retains full API access until the token naturally expires. | |
| Title | Grav before 2.0.4 Improper Session Invalidation JWT Access Tokens | |
| Weaknesses | CWE-613 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-15T13:52:28.876Z
Reserved: 2026-07-09T14:06:14.017Z
Link: CVE-2026-61452
Updated: 2026-07-15T13:52:25.931Z
No data.
No data.
OpenCVE Enrichment
No data.
-
CWE-613
Insufficient Session Expiration