CVE-2026-42843

HIGH

grav-plugin-api: Grav API Privilege Escalation to Super Admin

Title source: cna

Description

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736

Scores

CVSS v3 8.8

EPSS 0.0035

EPSS Percentile 26.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-863

Status published

Products (3)

getgrav/grav-plugin-api 1.0.0 beta1 (14 CPE variants)

getgrav/grav-plugin-api 0 - 1.0.0-beta.15Packagist

getgrav/grav-plugin-api < 1.0.0-beta.15

Published May 11, 2026

Tracked Since May 11, 2026