CVE-2026-42843

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736	Exploit Vendor Advisory
https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta1::::::
	cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta10::::::
	cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta11::::::
	cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta12::::::
	cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta13::::::
	cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta14::::::
	cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta2::::::
	cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta3::::::
	cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta4::::::
	cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta5::::::
	cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta6::::::
	cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta7::::::
	cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta8::::::
	cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta9::::::

History

27 May 2026, 19:07

Type	Values Removed	Values Added
CPE		cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta14:::::: cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta13:::::: cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta12:::::: cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta9:::::: cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta8:::::: cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta1:::::: cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta4:::::: cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta3:::::: cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta7:::::: cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta10:::::: cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta11:::::: cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta6:::::: cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta5:::::: cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta2::::::
First Time		Getgrav Getgrav grav-plugin-api
References	~~() https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736 -~~	() https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736 - Exploit, Vendor Advisory

11 May 2026, 20:25

Type	Values Removed	Values Added
References	~~() https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736 -~~	() https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736 -

11 May 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-11 17:16

Updated : 2026-05-27 19:07

NVD link : CVE-2026-42843

Mitre link : CVE-2026-42843

CVE.ORG link : CVE-2026-42843

JSON object : View

Products Affected

getgrav

grav-plugin-api

CWE

CWE-863

Incorrect Authorization

8.8 /10