{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/grav-plugin-api--1.0.0-beta.15/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["grav-plugin-api (\u003c 1.0.0-beta.15)"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","web-application","grav"],"_cs_type":"advisory","_cs_vendors":["getgrav"],"content_html":"\u003cp\u003eA critical vulnerability exists within the Grav API plugin (\u003ccode\u003ecomposer/getgrav/grav-plugin-api\u003c/code\u003e) versions prior to 1.0.0-beta.15. This vulnerability, identified as CVE-2026-42843, allows any authenticated user with the \u003ccode\u003eapi.access\u003c/code\u003e permission to escalate their privileges to Super Administrator. The flaw is due to an insecure direct object reference and logic error in the \u003ccode\u003eUsersController::update\u003c/code\u003e method, specifically in how user permissions are updated via the API. By sending a crafted PATCH request, a low-privileged user can modify their own access control list (ACL) to include \u003ccode\u003eadmin.super\u003c/code\u003e and \u003ccode\u003eapi.super\u003c/code\u003e permissions. Successful exploitation grants the attacker full control over the Grav CMS instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a low-privileged user account with \u003ccode\u003eapi.access\u003c/code\u003e permission on the Grav CMS.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Grav API using the obtained credentials to receive a valid JWT access token via a POST request to \u003ccode\u003e/api/v1/auth/token\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PATCH request to the \u003ccode\u003e/api/v1/users/{username}\u003c/code\u003e endpoint, targeting their own username.\u003c/li\u003e\n\u003cli\u003eThe PATCH request includes a JSON payload that modifies the user\u0026rsquo;s \u003ccode\u003eaccess\u003c/code\u003e field, specifically setting \u003ccode\u003eadmin.super\u003c/code\u003e and \u003ccode\u003eapi.super\u003c/code\u003e to \u003ccode\u003etrue\u003c/code\u003e. For example: \u003ccode\u003e{\u0026quot;access\u0026quot;:{\u0026quot;admin\u0026quot;:{\u0026quot;login\u0026quot;:true,\u0026quot;super\u0026quot;:true},\u0026quot;api\u0026quot;:{\u0026quot;access\u0026quot;:true,\u0026quot;super\u0026quot;:true},\u0026quot;site\u0026quot;:{\u0026quot;login\u0026quot;:true}}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted PATCH request to the target Grav CMS instance, including the JWT access token in the \u003ccode\u003eX-API-Token\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eUsersController::update\u003c/code\u003e method in \u003ccode\u003euser/plugins/api/classes/Api/Controllers/UsersController.php\u003c/code\u003e processes the request without properly validating the user\u0026rsquo;s authority to modify their own permissions.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s \u003ccode\u003eaccess\u003c/code\u003e field is updated with the malicious payload, granting them Super Administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the Grav Admin panel using the compromised user credentials and now has full control over the Grav CMS, able to modify content, install plugins, and potentially execute arbitrary code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis privilege escalation vulnerability (CVE-2026-42843) allows any low-privileged user to gain complete control over a Grav CMS instance. An attacker can modify website content, inject malicious code, install backdoors, and potentially achieve remote code execution (RCE) on the underlying server by modifying Twig templates. This can lead to data breaches, website defacement, and complete compromise of the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003ecomposer/getgrav/grav-plugin-api\u003c/code\u003e package to version 1.0.0-beta.15 or later to patch CVE-2026-42843.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Grav API User Permission Escalation Attempt\u0026rdquo; to identify attempted exploitation of this vulnerability by monitoring for PATCH requests to \u003ccode\u003e/api/v1/users/\u003c/code\u003e with modified access parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-grav-api-privesc/","summary":"A privilege escalation vulnerability in the Grav API plugin allows authenticated users with basic API access to elevate their privileges to Super Administrator, leading to full system compromise and potential remote code execution.","title":"Grav API Plugin Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-grav-api-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Grav-Plugin-Api (\u003c 1.0.0-Beta.15)","version":"https://jsonfeed.org/version/1.1"}