{“lastseen”:””,”description”:”Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site’s content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.”,”published”:”2026-05-11T15:54:33.485Z”,”modified”:”2026-05-11T15:54:33.485Z”,”type”:”cve”,”title”:”grav-plugin-api: Grav API Privilege Escalation to Super Admin”,”source”:”GitHub_M”,”references”:”https:\/\/github.com\/getgrav\/grav\/security\/advisories\/GHSA-r945-h4vm-h736″,”id”:”CVE-2026-42843″,”bulletinFamily”:””,”cwe”:[“CWE-863″],”cvelist”:null,”sourceData”:”getgrav grav-plugin-api \\u003c 1.0.0-beta.15″,”sourceHref”:””,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”grav-plugin-api”,”version”:”\\u003c 1.0.0-beta.15″,”vendor”:”getgrav”,”ai_description”:”Privilege escalation vulnerability in Grav API Plugin allowing authenticated users to modify their own permission configuration and potentially gain Super Administrator access”,”ai_severity”:”High”,”ai_vendor”:”getgrav”,”ai_product”:”Grav API Plugin”,”ai_version”:”\\u003c 1.0.0-beta.15″,”ai_score”:8.8}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site’s content, media, configuration, users, and system management….<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,41,12,15,13,7,11,5],"class_list":["post-53069","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n