Skip to content
Threat Feed
critical advisory

CVE-2026-61451: Unauthenticated Account Takeover in Grav API Plugin via Password Reset Vulnerability

An unauthenticated attacker can exploit CVE-2026-61451 in Grav API plugin versions prior to 1.0.4, leveraging improper URL validation in the password reset functionality to specify an arbitrary host in the reset link, thereby disclosing valid reset tokens to an attacker-controlled server and enabling full account takeover.

CVE-2026-61451 details a critical vulnerability affecting the Grav API plugin (grav-plugin-api) versions earlier than 1.0.4. This flaw allows an unauthenticated attacker to bypass authentication and achieve full account takeover. The vulnerability stems from insufficient validation of the admin_base_url field within the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl() function, intended to secure URLs, only confirms the scheme is HTTP/HTTPS but critically fails to verify the host against the server's own origin. This oversight enables an attacker to inject an arbitrary, attacker-controlled domain into the password reset link. Consequently, when a victim requests a password reset, the generated email contains a link to the attacker's server, disclosing the legitimate password reset token upon the victim's click. This mechanism facilitates the hijacking of user accounts without prior authentication.

Attack Chain

  1. An unauthenticated attacker initiates a password reset request for a victim's account by sending a POST request to the /api/v1/auth/forgot-password endpoint on a vulnerable Grav instance.
  2. The attacker manipulates the admin_base_url parameter within the request body or via Referer/Origin headers, injecting a URL pointing to an attacker-controlled server.
  3. The vulnerable Grav instance's sanitizeHttpUrl() function processes the admin_base_url but fails to validate its origin, accepting the attacker's URL.
  4. The Grav instance then generates a password reset email for the victim, embedding the attacker-controlled admin_base_url and a legitimate reset token into the reset link.
  5. The victim receives the password reset email and, believing it to be legitimate, clicks on the provided reset link.
  6. Upon clicking, the victim is redirected to the attacker-controlled server, inadvertently transmitting the valid password reset token in the URL.
  7. The attacker's server captures the reset token, which can then be used to perform a legitimate password reset request against the Grav instance.
  8. With the new password, the attacker gains full control over the victim's account, achieving complete account takeover.

Impact

Successful exploitation of CVE-2026-61451 leads to unauthenticated account takeover, allowing attackers to gain full control over any user account on the Grav instance, including administrative accounts. This can result in unauthorized access to sensitive data, website defacement, content manipulation, privilege escalation, or further compromise of the underlying server infrastructure. The CVSS v3.1 base score of 9.6 highlights the critical severity and ease of exploitation without requiring any authentication. Organizations utilizing vulnerable versions of the Grav API plugin face a severe risk of data breaches and service disruption.

Recommendation

  • Patch CVE-2026-61451 immediately by updating the Grav API plugin (grav-plugin-api) to version 1.0.4 or later.
  • Deploy the Sigma rule "Detect CVE-2026-61451 Exploitation - Grav API Password Reset URL Injection" to your SIEM to detect attempts to exploit this vulnerability.
  • Ensure comprehensive web server logging is enabled (webserver category) to capture POST requests, cs-uri-stem, cs-uri-query, and Referer/Origin headers for forensic analysis.

Detection coverage 1

Detect CVE-2026-61451 Exploitation - Grav API Password Reset URL Injection

high

Detects exploitation attempts for CVE-2026-61451 by identifying POST requests to the Grav API forgot-password endpoint where the 'admin_base_url' parameter contains a full external URL scheme (http:// or https://), indicating an attacker attempting to inject a malicious redirect.

sigma tactics: credential_access, initial_access techniques: T1190, T1552.001 sources: webserver

Detection queries are available on the platform. Get full rules →