<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Grav-Plugin-Api - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/grav-plugin-api/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 02:37:38 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/grav-plugin-api/feed.xml" rel="self" type="application/rss+xml"/><item><title>Grav Plugin API Privilege Escalation via Authorization Bypass (CVE-2026-62233)</title><link>https://feed.craftedsignal.io/briefs/2026-07-grav-plugin-api-privesc/</link><pubDate>Fri, 17 Jul 2026 02:37:38 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-grav-plugin-api-privesc/</guid><description>A privilege escalation vulnerability (CVE-2026-62233) in grav-plugin-api before version 1.0.6 allows non-super api.users.write managers to bypass authorization checks on administrative API endpoints, enabling the creation of super-admin API keys or disabling super-admin Two-Factor Authentication (2FA), leading to full Grav instance takeover.</description><content:encoded><![CDATA[<p>CVE-2026-62233 identifies a critical authorization bypass vulnerability within the <code>grav-plugin-api</code> for Grav CMS, affecting all versions prior to 1.0.6. This flaw stems from an insufficient validation of user privileges when processing requests to the <code>createApiKey</code>, <code>generate2fa</code>, and <code>disable2fa</code> API endpoints. An attacker who has already obtained initial access as a low-privileged <code>api.users.write</code> manager can exploit this vulnerability to escalate their privileges to super-admin level. By abusing these endpoints, the attacker can either mint new API keys with super-admin permissions or disable the Two-Factor Authentication (2FA) for existing super-admin accounts, effectively granting them full administrative control over the Grav instance. This vulnerability poses a significant risk as it can lead to complete compromise of the affected system.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to the Grav instance with a low-privileged account, specifically one granted the <code>api.users.write</code> manager role.</li>
<li>The attacker identifies and targets the <code>createApiKey</code>, <code>generate2fa</code>, or <code>disable2fa</code> API endpoints exposed by the <code>grav-plugin-api</code>.</li>
<li>The attacker crafts an API request to one of these endpoints, typically specifying a super-admin user account or parameters that would affect super-admin privileges.</li>
<li>Due to the vulnerability (CVE-2026-62233), the <code>grav-plugin-api</code> version prior to 1.0.6 fails to properly validate whether the initiating user has super-admin status.</li>
<li>If the attacker uses the <code>createApiKey</code> endpoint, a new API key is successfully generated and bound to a super-admin account, granting the attacker super-admin capabilities.</li>
<li>Alternatively, if the attacker uses the <code>disable2fa</code> endpoint, the Two-Factor Authentication for a target super-admin account is successfully removed.</li>
<li>The attacker then utilizes the newly acquired super-admin API key or leverages the disabled 2FA on a super-admin account to log in and gain full administrative control over the Grav instance.</li>
<li>With super-admin privileges, the attacker achieves full instance takeover, allowing for arbitrary code execution, data manipulation, exfiltration, or further lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-62233 leads to complete administrative control over the affected Grav CMS instance. Attackers can gain unrestricted access to all data, settings, and functionalities, including the ability to modify website content, access sensitive user information, install malicious plugins, or deploy web shells. This privilege escalation undermines all security controls, such as 2FA, for super-admin accounts. The consequence is a full compromise of the web application, potentially leading to data breaches, website defacement, or use of the compromised server for further attacks.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-62233 immediately by updating <code>grav-plugin-api</code> to version 1.0.6 or later on all affected Grav CMS instances.</li>
<li>Review all <code>api.users.write</code> managers for suspicious API key creation or 2FA modifications following the exploitation window described in CVE-2026-62233.</li>
<li>Implement strong access controls and principle of least privilege for all user accounts accessing API endpoints to mitigate risks from vulnerabilities like CVE-2026-62233.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>privilege-escalation</category><category>vulnerability</category><category>grav</category></item></channel></rss>