CVE-2026-42843 | THREATINT

Description

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.

PUBLISHED Reserved 2026-04-30 | Published 2026-05-11 | Updated 2026-05-11 | Assigner GitHub_M

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-863: Incorrect Authorization

Product status

< 1.0.0-beta.15

affected

References

github.com/...v/grav/security/advisories/GHSA-r945-h4vm-h736 exploit

github.com/...v/grav/security/advisories/GHSA-r945-h4vm-h736

cve.org (CVE-2026-42843)

nvd.nist.gov (CVE-2026-42843)

Download JSON