CVE 8.8 HIGH

grav-plugin-api: Grav API Privilege Escalation to Super Admin_CVE-2026-42843

May 11, 2026 invoker category_cve
8.8 / 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.

AI Analysis

Privilege escalation vulnerability in Grav API Plugin allowing authenticated users to modify their own permission configuration and potentially gain Super Administrator access

Basic Information

ID CVE-2026-42843
Source GitHub_M
Published May 11, 2026 at 15:54

Affected Product

Vendor getgrav
Product grav-plugin-api
Version < 1.0.0-beta.15
Affected Versions getgrav grav-plugin-api < 1.0.0-beta.15

CWE Classification

CWE-863

AI Assessment

AI Score 8.8 / 10
AI Severity High
Vendor getgrav
Product Grav API Plugin
Version < 1.0.0-beta.15

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.