Cross-Origin API Vulnerability in Grav API Plugin by Grav
CVE-2026-58656

8.7HIGH

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-58656?

The Grav API Plugin prior to version v1.0.0-rc.16 is susceptible to a serious CORS misconfiguration that allows attackers to exploit the JWT tokens passed via the 'token' URL query parameter. This vulnerability permits unauthenticated entities to perform fully authenticated requests across domains, ultimately leading to unauthorized API access. Attackers can leverage leaked JWT tokens found in access logs or browser history to create backdoor super-admin accounts, compromising sensitive user configurations and data.

Affected Version(s)

grav 0 <= 1.0.0-rc.15

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

nicl4ssic
.