Weakness in Grav API Plugin Exposes Users to Account Takeover Risks
CVE-2026-61451
9.4CRITICAL
What is CVE-2026-61451?
The Grav API plugin is prone to a vulnerability where it does not properly validate the origin of the client-supplied 'admin_base_url' in the password reset process. This oversight means that the functionality allowing users to reset passwords can lead to exploitation, whereby a malicious actor can send a crafted link to victims. When users interact with this link, the sensitive reset token is compromised, enabling full unauthorized access to their accounts. Additionally, this vulnerability can be further manipulated using Referer or Origin headers, making it imperative for Grav users to update to version 1.0.4 or later to mitigate these risks.
Affected Version(s)
grav 0 < 1.0.4
grav 1.0.4
