<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Grav API Plugin (Grav-Plugin-Api) &lt; 1.0.4 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/grav-api-plugin-grav-plugin-api--1.0.4/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 12:20:35 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/grav-api-plugin-grav-plugin-api--1.0.4/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-61451: Unauthenticated Account Takeover in Grav API Plugin via Password Reset Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61451-grav-api-auth-bypass/</link><pubDate>Wed, 15 Jul 2026 12:20:35 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61451-grav-api-auth-bypass/</guid><description>An unauthenticated attacker can exploit CVE-2026-61451 in Grav API plugin versions prior to 1.0.4, leveraging improper URL validation in the password reset functionality to specify an arbitrary host in the reset link, thereby disclosing valid reset tokens to an attacker-controlled server and enabling full account takeover.</description><content:encoded><![CDATA[<p>CVE-2026-61451 details a critical vulnerability affecting the Grav API plugin (grav-plugin-api) versions earlier than 1.0.4. This flaw allows an unauthenticated attacker to bypass authentication and achieve full account takeover. The vulnerability stems from insufficient validation of the <code>admin_base_url</code> field within the <code>POST /api/v1/auth/forgot-password</code> endpoint. The <code>sanitizeHttpUrl()</code> function, intended to secure URLs, only confirms the scheme is HTTP/HTTPS but critically fails to verify the host against the server's own origin. This oversight enables an attacker to inject an arbitrary, attacker-controlled domain into the password reset link. Consequently, when a victim requests a password reset, the generated email contains a link to the attacker's server, disclosing the legitimate password reset token upon the victim's click. This mechanism facilitates the hijacking of user accounts without prior authentication.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker initiates a password reset request for a victim's account by sending a <code>POST</code> request to the <code>/api/v1/auth/forgot-password</code> endpoint on a vulnerable Grav instance.</li>
<li>The attacker manipulates the <code>admin_base_url</code> parameter within the request body or via <code>Referer</code>/<code>Origin</code> headers, injecting a URL pointing to an attacker-controlled server.</li>
<li>The vulnerable Grav instance's <code>sanitizeHttpUrl()</code> function processes the <code>admin_base_url</code> but fails to validate its origin, accepting the attacker's URL.</li>
<li>The Grav instance then generates a password reset email for the victim, embedding the attacker-controlled <code>admin_base_url</code> and a legitimate reset token into the reset link.</li>
<li>The victim receives the password reset email and, believing it to be legitimate, clicks on the provided reset link.</li>
<li>Upon clicking, the victim is redirected to the attacker-controlled server, inadvertently transmitting the valid password reset token in the URL.</li>
<li>The attacker's server captures the reset token, which can then be used to perform a legitimate password reset request against the Grav instance.</li>
<li>With the new password, the attacker gains full control over the victim's account, achieving complete account takeover.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-61451 leads to unauthenticated account takeover, allowing attackers to gain full control over any user account on the Grav instance, including administrative accounts. This can result in unauthorized access to sensitive data, website defacement, content manipulation, privilege escalation, or further compromise of the underlying server infrastructure. The CVSS v3.1 base score of 9.6 highlights the critical severity and ease of exploitation without requiring any authentication. Organizations utilizing vulnerable versions of the Grav API plugin face a severe risk of data breaches and service disruption.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-61451 immediately by updating the Grav API plugin (grav-plugin-api) to version 1.0.4 or later.</li>
<li>Deploy the Sigma rule &quot;Detect CVE-2026-61451 Exploitation - Grav API Password Reset URL Injection&quot; to your SIEM to detect attempts to exploit this vulnerability.</li>
<li>Ensure comprehensive web server logging is enabled (<code>webserver</code> category) to capture <code>POST</code> requests, <code>cs-uri-stem</code>, <code>cs-uri-query</code>, and <code>Referer</code>/<code>Origin</code> headers for forensic analysis.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>web-vulnerability</category><category>account-takeover</category><category>password-reset</category><category>grav</category><category>api</category></item></channel></rss>