<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Grav API Plugin (&lt; 1.0.0-Rc.16) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/grav-api-plugin--1.0.0-rc.16/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 02:42:19 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/grav-api-plugin--1.0.0-rc.16/feed.xml" rel="self" type="application/rss+xml"/><item><title>Grav API Plugin Vulnerable to CORS Misconfiguration Allowing Data Exposure and Unauthorized Operations</title><link>https://feed.craftedsignal.io/briefs/2026-07-grav-api-cors-misconfiguration/</link><pubDate>Fri, 17 Jul 2026 02:42:19 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-grav-api-cors-misconfiguration/</guid><description>The Grav API plugin before version 1.0.0-rc.16 contains a CORS misconfiguration that sets `Access-Control-Allow-Origin: *` by default, enabling an attacker to perform authenticated cross-origin requests from a malicious website after obtaining a valid API token, leading to sensitive data exfiltration and unauthorized write operations.</description><content:encoded><![CDATA[<p>A critical Cross-Origin Resource Sharing (CORS) misconfiguration has been identified in the Grav API plugin (getgrav/grav-plugin-api) versions prior to 1.0.0-rc.16. This vulnerability, tracked as CVE-2026-62387, stems from the plugin's default configuration of <code>Access-Control-Allow-Origin: *</code> on all responses, including authenticated API endpoints and preflight <code>OPTIONS</code> requests. This lax CORS policy allows any website to make authenticated requests to the Grav API once an attacker has acquired a valid API token. Attackers can leverage various methods such as log leakage, browser history analysis, or network capture to obtain these tokens. The impact for defenders is significant as this flaw bypasses browser same-origin policy, enabling attackers to read sensitive data and execute write operations programmatically from their malicious domains, effectively taking over user accounts within the Grav system.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker compromises a valid Grav API access token for a user account through various means, such as log leakage, sniffing network traffic, or exploiting browser vulnerabilities that expose session data.</li>
<li>Attacker crafts a malicious website containing JavaScript code designed to interact with the vulnerable Grav API endpoints.</li>
<li>A user, whose API token has been compromised, browses to the attacker's malicious website.</li>
<li>The malicious JavaScript on the attacker's site initiates a cross-origin HTTP request (e.g., <code>GET</code>, <code>POST</code>, <code>OPTIONS</code>) to the Grav API, including the stolen access token in the <code>Authorization</code> or <code>X-API-Token</code> header.</li>
<li>Due to the <code>Access-Control-Allow-Origin: *</code> header sent by the Grav API plugin, the user's browser allows the malicious JavaScript to process the response from the Grav API, bypassing the same-origin policy.</li>
<li>The attacker's JavaScript reads sensitive data (e.g., user profiles, content) from the Grav system or performs unauthorized write operations (e.g., modifying content, user settings) using the compromised token.</li>
<li>The collected sensitive data is then exfiltrated from the user's browser to an attacker-controlled server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-62387 can lead to unauthorized access to sensitive data and critical system functions within Grav instances. Attackers can read any data accessible to the compromised user's API token, potentially exposing private content, user information, or system configurations. Furthermore, the ability to perform write operations means attackers can deface websites, inject malicious content, alter user accounts, or even disrupt Grav site functionality. The specific damage and number of victims would depend on the privileges associated with the compromised API token and the attacker's objectives.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch the Grav API plugin to version 1.0.0-rc.16 or later to address CVE-2026-62387.</li>
<li>Review web server access logs for the patterns identified in the &quot;Detects CVE-2026-62387 exploitation - Suspicious Cross-Origin Request to Grav API&quot; Sigma rule, specifically looking for Grav API requests with <code>Origin</code> headers from unexpected domains.</li>
<li>Configure web application firewalls (WAFs) to block requests to Grav API endpoints that have an <code>Origin</code> header not matching your legitimate Grav domain(s) or a predefined allowlist of trusted origins.</li>
<li>Implement strict logging and monitoring for all Grav API access, focusing on authentication attempts, data retrieval, and modification actions.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web-vulnerability</category><category>cors</category><category>misconfiguration</category><category>data-exfiltration</category><category>rce-potential</category></item><item><title>Grav API Plugin Vulnerability Exposes JWT Access Tokens via URL Parameter</title><link>https://feed.craftedsignal.io/briefs/2026-07-grav-api-jwt-leak/</link><pubDate>Fri, 17 Jul 2026 02:41:05 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-grav-api-jwt-leak/</guid><description>The Grav API plugin (getgrav/grav-plugin-api) before version 1.0.0-rc.16 is vulnerable to sensitive information exposure, accepting JWT access tokens via the '?token=' URL query parameter, causing these tokens to be logged in web server access logs, browser history, and potentially leaked through Referer headers, proxy, or CDN logs, which allows an attacker to gain unauthorized API access, read configuration and user data, create new admin accounts, modify system settings, and delete pages.</description><content:encoded><![CDATA[<p>A critical vulnerability, tracked as CVE-2026-62386, has been identified in the Grav API plugin (getgrav/grav-plugin-api) affecting all versions prior to 1.0.0-rc.16. This flaw allows JWT access tokens to be submitted and processed via the <code>?token=</code> URL query parameter across all API routes. This method of token submission inherently exposes sensitive admin access tokens, as they are logged verbatim in web server access logs, stored in browser history, and can be leaked via the Referer HTTP header or captured by upstream proxy and CDN logs. This widespread exposure of valid admin tokens grants unauthorized individuals full API access, enabling them to read sensitive configuration files and user data, create new administrator accounts, modify critical system settings, and delete pages. The vulnerability poses a significant risk to the integrity and confidentiality of Grav-based websites.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a Grav API endpoint susceptible to the <code>?token=</code> parameter vulnerability.</li>
<li>A valid JWT admin access token for the Grav API is acquired through passive means (e.g., from web server access logs, browser history, proxy/CDN logs, or HTTP Referer header leakage).</li>
<li>The attacker constructs a malicious HTTP request to a Grav API endpoint, embedding the leaked JWT token in the <code>?token=</code> URL query parameter.</li>
<li>The Grav API processes the request, authenticating the attacker with the legitimate admin token.</li>
<li>The attacker proceeds to read sensitive configuration and user data from the Grav system via authenticated API calls.</li>
<li>Utilizing API functionality, the attacker creates new administrative user accounts to establish persistence within the Grav environment.</li>
<li>The attacker modifies critical system settings or configuration parameters via API calls to further control the application.</li>
<li>Finally, the attacker deletes content, such as pages, or performs other destructive actions, achieving unauthorized control and data manipulation within the Grav instance.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-62386 can lead to severe consequences for affected Grav instances. Unauthorized individuals gaining access to valid admin JWT tokens can bypass authentication mechanisms and achieve full control over the Grav API. This can result in the complete compromise of data confidentiality through the reading of sensitive configuration and user data, including potentially private content. Furthermore, the ability to create new administrator accounts and modify system settings grants attackers persistent access and potential privilege escalation, allowing them to subvert the website's functionality and integrity. The deletion of pages represents a direct impact on data availability and can lead to significant reputational damage or operational disruption.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-62386 immediately by upgrading the Grav API plugin to version 1.0.0-rc.16 or higher.</li>
<li>Review web server access logs, proxy logs, and CDN logs for any instances of <code>?token=</code> parameters in URL paths, which could indicate prior or ongoing token exposure.</li>
<li>Configure web server logging to filter or redact sensitive URL query parameters (specifically <code>token=</code>) to prevent future leakage, even after patching.</li>
<li>Deploy the Sigma rule provided in this brief to your SIEM to detect attempts to exploit this vulnerability or unusual token usage patterns.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>web</category><category>api</category><category>jwt</category><category>information-exposure</category><category>grav</category></item></channel></rss>