Cross-Origin API Vulnerability in Grav API Plugin by Grav
CVE-2026-58656
8.7HIGH
What is CVE-2026-58656?
The Grav API Plugin prior to version v1.0.0-rc.16 is susceptible to a serious CORS misconfiguration that allows attackers to exploit the JWT tokens passed via the 'token' URL query parameter. This vulnerability permits unauthenticated entities to perform fully authenticated requests across domains, ultimately leading to unauthorized API access. Attackers can leverage leaked JWT tokens found in access logs or browser history to create backdoor super-admin accounts, compromising sensitive user configurations and data.
Affected Version(s)
grav 0 <= 1.0.0-rc.15
