Weakness in Grav API Plugin Exposes Users to Account Takeover Risks
CVE-2026-61451

9.4CRITICAL

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61451?

The Grav API plugin is prone to a vulnerability where it does not properly validate the origin of the client-supplied 'admin_base_url' in the password reset process. This oversight means that the functionality allowing users to reset passwords can lead to exploitation, whereby a malicious actor can send a crafted link to victims. When users interact with this link, the sensitive reset token is compromised, enabling full unauthorized access to their accounts. Additionally, this vulnerability can be further manipulated using Referer or Origin headers, making it imperative for Grav users to update to version 1.0.4 or later to mitigate these risks.

Affected Version(s)

grav 0 < 1.0.4

grav 1.0.4

References

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

gemstone-source
.