Improper Session Invalidation in Grav API Plugin by Grav
CVE-2026-61452

6.9MEDIUM

Key Information:

Vendor

Getgrav

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61452?

The Grav API plugin prior to version 2.0.4 has a vulnerability that allows unauthorized access to API services through improperly validated JSON Web Tokens (JWT). Specifically, access tokens generated by the plugin do not include a 'jti' (JWT ID) claim, which prevents server-side revocation. Consequently, once an access token is issued, it remains valid until its expiration—defaulting to one hour—irrespective of user actions such as logout or password changes. This leaves systems exposed, as attackers with stolen access tokens can exploit API functionalities without detection until the token expires.

Affected Version(s)

grav 0 < 2.0.4

grav 2.0.4

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

alienkeric
.