Insecure Direct Object Reference in Grav API Plugin for Grav CMS
CVE-2026-42843

8.8HIGH

Key Information:

Vendor: Getgrav
Status: Grav-plugin-api
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-42843?

The Grav API Plugin for Grav CMS exhibits a vulnerability where an insecure direct object reference and logic flaw in the UsersController::update function allows authenticated users with minimal API access to alter their own permission settings. This exploit can potentially enable an attacker to gain Super Administrator privileges, compromising the system completely and possibly leading to remote code execution (RCE). The issue has been addressed in version 1.0.0-beta.15.

Affected Version(s)

grav-plugin-api < 1.0.0-beta.15

References

https://github.com/getgrav/grav/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42843 Data

JSON

Getgrav

What is CVE-2026-42843?

Affected Version(s)

References

CVSS V3.1

Timeline