Improper Session Invalidation in Grav API Plugin by Grav
CVE-2026-61452
6.9MEDIUM
What is CVE-2026-61452?
The Grav API plugin prior to version 2.0.4 has a vulnerability that allows unauthorized access to API services through improperly validated JSON Web Tokens (JWT). Specifically, access tokens generated by the plugin do not include a 'jti' (JWT ID) claim, which prevents server-side revocation. Consequently, once an access token is issued, it remains valid until its expiration—defaulting to one hour—irrespective of user actions such as logout or password changes. This leaves systems exposed, as attackers with stolen access tokens can exploit API functionalities without detection until the token expires.
Affected Version(s)
grav 0 < 2.0.4
grav 2.0.4
