Product
A privilege escalation vulnerability (CVE-2026-62233) in grav-plugin-api before version 1.0.6 allows non-super api.users.write managers to bypass authorization checks on administrative API endpoints, enabling the creation of super-admin API keys or disabling super-admin Two-Factor Authentication (2FA), leading to full Grav instance takeover.