{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/grav-plugin-api/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-62233"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["grav-plugin-api"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","vulnerability","grav"],"_cs_type":"advisory","_cs_vendors":["getgrav"],"content_html":"\u003cp\u003eCVE-2026-62233 identifies a critical authorization bypass vulnerability within the \u003ccode\u003egrav-plugin-api\u003c/code\u003e for Grav CMS, affecting all versions prior to 1.0.6. This flaw stems from an insufficient validation of user privileges when processing requests to the \u003ccode\u003ecreateApiKey\u003c/code\u003e, \u003ccode\u003egenerate2fa\u003c/code\u003e, and \u003ccode\u003edisable2fa\u003c/code\u003e API endpoints. An attacker who has already obtained initial access as a low-privileged \u003ccode\u003eapi.users.write\u003c/code\u003e manager can exploit this vulnerability to escalate their privileges to super-admin level. By abusing these endpoints, the attacker can either mint new API keys with super-admin permissions or disable the Two-Factor Authentication (2FA) for existing super-admin accounts, effectively granting them full administrative control over the Grav instance. This vulnerability poses a significant risk as it can lead to complete compromise of the affected system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the Grav instance with a low-privileged account, specifically one granted the \u003ccode\u003eapi.users.write\u003c/code\u003e manager role.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies and targets the \u003ccode\u003ecreateApiKey\u003c/code\u003e, \u003ccode\u003egenerate2fa\u003c/code\u003e, or \u003ccode\u003edisable2fa\u003c/code\u003e API endpoints exposed by the \u003ccode\u003egrav-plugin-api\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an API request to one of these endpoints, typically specifying a super-admin user account or parameters that would affect super-admin privileges.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability (CVE-2026-62233), the \u003ccode\u003egrav-plugin-api\u003c/code\u003e version prior to 1.0.6 fails to properly validate whether the initiating user has super-admin status.\u003c/li\u003e\n\u003cli\u003eIf the attacker uses the \u003ccode\u003ecreateApiKey\u003c/code\u003e endpoint, a new API key is successfully generated and bound to a super-admin account, granting the attacker super-admin capabilities.\u003c/li\u003e\n\u003cli\u003eAlternatively, if the attacker uses the \u003ccode\u003edisable2fa\u003c/code\u003e endpoint, the Two-Factor Authentication for a target super-admin account is successfully removed.\u003c/li\u003e\n\u003cli\u003eThe attacker then utilizes the newly acquired super-admin API key or leverages the disabled 2FA on a super-admin account to log in and gain full administrative control over the Grav instance.\u003c/li\u003e\n\u003cli\u003eWith super-admin privileges, the attacker achieves full instance takeover, allowing for arbitrary code execution, data manipulation, exfiltration, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-62233 leads to complete administrative control over the affected Grav CMS instance. Attackers can gain unrestricted access to all data, settings, and functionalities, including the ability to modify website content, access sensitive user information, install malicious plugins, or deploy web shells. This privilege escalation undermines all security controls, such as 2FA, for super-admin accounts. The consequence is a full compromise of the web application, potentially leading to data breaches, website defacement, or use of the compromised server for further attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-62233 immediately by updating \u003ccode\u003egrav-plugin-api\u003c/code\u003e to version 1.0.6 or later on all affected Grav CMS instances.\u003c/li\u003e\n\u003cli\u003eReview all \u003ccode\u003eapi.users.write\u003c/code\u003e managers for suspicious API key creation or 2FA modifications following the exploitation window described in CVE-2026-62233.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and principle of least privilege for all user accounts accessing API endpoints to mitigate risks from vulnerabilities like CVE-2026-62233.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T02:37:38Z","date_published":"2026-07-17T02:37:38Z","id":"https://feed.craftedsignal.io/briefs/2026-07-grav-plugin-api-privesc/","summary":"A privilege escalation vulnerability (CVE-2026-62233) in grav-plugin-api before version 1.0.6 allows non-super api.users.write managers to bypass authorization checks on administrative API endpoints, enabling the creation of super-admin API keys or disabling super-admin Two-Factor Authentication (2FA), leading to full Grav instance takeover.","title":"Grav Plugin API Privilege Escalation via Authorization Bypass (CVE-2026-62233)","url":"https://feed.craftedsignal.io/briefs/2026-07-grav-plugin-api-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed - Grav-Plugin-Api","version":"https://jsonfeed.org/version/1.1"}