{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/api-plugin/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-58656"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Grav API plugin"],"_cs_severities":["high"],"_cs_tags":["grav","api-plugin","jwt","cors","remote-code-execution","web-vulnerability"],"_cs_type":"advisory","_cs_vendors":["getgrav"],"content_html":"\u003cp\u003eA significant vulnerability, identified as CVE-2026-58656, affects the Grav API plugin versions prior to v1.0.0-rc.16. This flaw enables unauthenticated attackers to bypass authentication and execute fully authenticated API requests from any malicious web domain. The core issue lies in the plugin's acceptance of JSON Web Tokens (JWT) directly via the \u003ccode\u003e?token=\u003c/code\u003e URL query parameter and its incorrect configuration of the \u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e response header, which permits cross-origin requests. Attackers can obtain these sensitive JWT tokens through various means, including leaked access logs, proxy logs, browser history, or Referrer headers. Successful exploitation allows for the creation of persistent backdoor super-admin accounts, granting full control over the Grav instance, and facilitating the exfiltration of sensitive configuration and user data, posing a severe risk to data integrity and confidentiality for affected Grav installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eToken Leakage:\u003c/strong\u003e An attacker obtains a valid JWT token through passive reconnaissance, such as scraping public access logs, exploiting proxy log misconfigurations, or analyzing browser history and Referrer headers that inadvertently expose the \u003ccode\u003e?token=\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Website Setup:\u003c/strong\u003e The attacker sets up a malicious website or leverages an existing compromised site to host their exploit code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCross-Origin Request Initiation:\u003c/strong\u003e From the malicious website, the attacker crafts and initiates a JavaScript-based cross-origin API request targeting the vulnerable Grav instance.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eJWT Injection:\u003c/strong\u003e The attacker embeds the leaked JWT token directly into the URL query string of the API request, using the format \u003ccode\u003e/api/endpoint?token=JWT_VALUE\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Processing:\u003c/strong\u003e The Grav API plugin, due to the \u003ccode\u003eAccess-Control-Allow-Origin: *\u003c/code\u003e header, processes this cross-origin request as fully authenticated and ignores origin restrictions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAdmin Account Creation:\u003c/strong\u003e The attacker sends an authenticated API request to create a new, persistent super-admin account, establishing a backdoor.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e Using the newly created super-admin account or directly via the compromised JWT, the attacker sends subsequent API requests to exfiltrate sensitive configuration files and user database contents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-58656 leads to severe consequences, primarily affecting the confidentiality, integrity, and availability of Grav installations. Attackers can gain complete administrative control over the Grav content management system by creating persistent backdoor super-admin accounts. This level of access allows for arbitrary data modification, content defacement, or complete deletion. Furthermore, attackers can exfiltrate sensitive data, including but not limited to user credentials, personal identifiable information (PII), and proprietary configuration settings. This can result in significant data breaches, reputational damage, and potential regulatory non-compliance for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-58656 immediately\u003c/strong\u003e by upgrading the Grav API plugin to version v1.0.0-rc.16 or later to remove the vulnerable functionality.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rules in this brief\u003c/strong\u003e to your SIEM to detect attempts to exploit the \u003ccode\u003e?token=\u003c/code\u003e query parameter.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview web server logs and proxy logs\u003c/strong\u003e for instances of \u003ccode\u003e/api/*?token=\u003c/code\u003e query parameters to identify potential historical exploitation or token leakage.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T14:25:22Z","date_published":"2026-07-08T14:25:22Z","id":"https://feed.craftedsignal.io/briefs/2026-07-grav-api-jwt-cors-takeover/","summary":"A critical vulnerability, CVE-2026-58656, in the Grav API plugin before v1.0.0-rc.16 allows unauthenticated attackers to perform fully authenticated cross-origin API requests by leveraging leaked JWT tokens via the `?token=` URL query parameter and the `Access-Control-Allow-Origin: *` response header, potentially leading to persistent backdoor super-admin accounts and sensitive data exfiltration.","title":"CVE-2026-58656 - Grav API Plugin Cross-Origin Authentication Bypass and Account Takeover","url":"https://feed.craftedsignal.io/briefs/2026-07-grav-api-jwt-cors-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed - Api-Plugin","version":"https://jsonfeed.org/version/1.1"}