CVE-2026-42843

EUVD-2026-29128

11.05.2026, 17:16

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 26%

Affected Products (NVD)

Vendor	Product	Version
getgrav	grav-plugin-api	1.0.0:beta1
getgrav	grav-plugin-api	1.0.0:beta10
getgrav	grav-plugin-api	1.0.0:beta11
getgrav	grav-plugin-api	1.0.0:beta12
getgrav	grav-plugin-api	1.0.0:beta13
getgrav	grav-plugin-api	1.0.0:beta14
getgrav	grav-plugin-api	1.0.0:beta2
getgrav	grav-plugin-api	1.0.0:beta3
getgrav	grav-plugin-api	1.0.0:beta4
getgrav	grav-plugin-api	1.0.0:beta5
getgrav	grav-plugin-api	1.0.0:beta6
getgrav	grav-plugin-api	1.0.0:beta7
getgrav	grav-plugin-api	1.0.0:beta8
getgrav	grav-plugin-api	1.0.0:beta9

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736