{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/grav-api-plugin-grav-plugin-api--1.0.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2026-61451"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Grav API plugin (grav-plugin-api) \u003c 1.0.4"],"_cs_severities":["critical"],"_cs_tags":["web-vulnerability","account-takeover","password-reset","grav","api"],"_cs_type":"advisory","_cs_vendors":["Grav"],"content_html":"\u003cp\u003eCVE-2026-61451 details a critical vulnerability affecting the Grav API plugin (grav-plugin-api) versions earlier than 1.0.4. This flaw allows an unauthenticated attacker to bypass authentication and achieve full account takeover. The vulnerability stems from insufficient validation of the \u003ccode\u003eadmin_base_url\u003c/code\u003e field within the \u003ccode\u003ePOST /api/v1/auth/forgot-password\u003c/code\u003e endpoint. The \u003ccode\u003esanitizeHttpUrl()\u003c/code\u003e function, intended to secure URLs, only confirms the scheme is HTTP/HTTPS but critically fails to verify the host against the server's own origin. This oversight enables an attacker to inject an arbitrary, attacker-controlled domain into the password reset link. Consequently, when a victim requests a password reset, the generated email contains a link to the attacker's server, disclosing the legitimate password reset token upon the victim's click. This mechanism facilitates the hijacking of user accounts without prior authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker initiates a password reset request for a victim's account by sending a \u003ccode\u003ePOST\u003c/code\u003e request to the \u003ccode\u003e/api/v1/auth/forgot-password\u003c/code\u003e endpoint on a vulnerable Grav instance.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the \u003ccode\u003eadmin_base_url\u003c/code\u003e parameter within the request body or via \u003ccode\u003eReferer\u003c/code\u003e/\u003ccode\u003eOrigin\u003c/code\u003e headers, injecting a URL pointing to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe vulnerable Grav instance's \u003ccode\u003esanitizeHttpUrl()\u003c/code\u003e function processes the \u003ccode\u003eadmin_base_url\u003c/code\u003e but fails to validate its origin, accepting the attacker's URL.\u003c/li\u003e\n\u003cli\u003eThe Grav instance then generates a password reset email for the victim, embedding the attacker-controlled \u003ccode\u003eadmin_base_url\u003c/code\u003e and a legitimate reset token into the reset link.\u003c/li\u003e\n\u003cli\u003eThe victim receives the password reset email and, believing it to be legitimate, clicks on the provided reset link.\u003c/li\u003e\n\u003cli\u003eUpon clicking, the victim is redirected to the attacker-controlled server, inadvertently transmitting the valid password reset token in the URL.\u003c/li\u003e\n\u003cli\u003eThe attacker's server captures the reset token, which can then be used to perform a legitimate password reset request against the Grav instance.\u003c/li\u003e\n\u003cli\u003eWith the new password, the attacker gains full control over the victim's account, achieving complete account takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-61451 leads to unauthenticated account takeover, allowing attackers to gain full control over any user account on the Grav instance, including administrative accounts. This can result in unauthorized access to sensitive data, website defacement, content manipulation, privilege escalation, or further compromise of the underlying server infrastructure. The CVSS v3.1 base score of 9.6 highlights the critical severity and ease of exploitation without requiring any authentication. Organizations utilizing vulnerable versions of the Grav API plugin face a severe risk of data breaches and service disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-61451 immediately by updating the Grav API plugin (grav-plugin-api) to version 1.0.4 or later.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect CVE-2026-61451 Exploitation - Grav API Password Reset URL Injection\u0026quot; to your SIEM to detect attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eEnsure comprehensive web server logging is enabled (\u003ccode\u003ewebserver\u003c/code\u003e category) to capture \u003ccode\u003ePOST\u003c/code\u003e requests, \u003ccode\u003ecs-uri-stem\u003c/code\u003e, \u003ccode\u003ecs-uri-query\u003c/code\u003e, and \u003ccode\u003eReferer\u003c/code\u003e/\u003ccode\u003eOrigin\u003c/code\u003e headers for forensic analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T12:20:35Z","date_published":"2026-07-15T12:20:35Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61451-grav-api-auth-bypass/","summary":"An unauthenticated attacker can exploit CVE-2026-61451 in Grav API plugin versions prior to 1.0.4, leveraging improper URL validation in the password reset functionality to specify an arbitrary host in the reset link, thereby disclosing valid reset tokens to an attacker-controlled server and enabling full account takeover.","title":"CVE-2026-61451: Unauthenticated Account Takeover in Grav API Plugin via Password Reset Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61451-grav-api-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Grav API Plugin (Grav-Plugin-Api) \u003c 1.0.4","version":"https://jsonfeed.org/version/1.1"}