PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58656 getgrav CVE debrief

The Grav API plugin before version 1.0.0-rc.16 has a security vulnerability that allows unauthenticated attackers to make fully authenticated cross-origin API requests. This is possible because the plugin accepts JWT tokens via the ?token= URL query parameter and responds with an Access-Control-Allow-Origin: * header. Attackers who obtain a leaked JWT token can create persistent backdoor super-admin accounts and exfiltrate sensitive configuration and user data. The vulnerability has a CVSS score of 8.7 and is considered HIGH severity.

Vendor
getgrav
Product
grav
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-08
Advisory published
2026-07-08
Advisory updated
2026-07-08

Who should care

Administrators and users of the Grav API plugin should be aware of this vulnerability and take immediate action to update to version 1.0.0-rc.16 or later. Additionally, anyone who has used the plugin's API or has access to the plugin's configuration should be cautious of potential unauthorized access.

Technical summary

The Grav API plugin before version 1.0.0-rc.16 is vulnerable to cross-origin requests due to its handling of JWT tokens via URL query parameters and its response headers. Specifically, the plugin accepts JWT tokens via the ?token= URL query parameter and responds with an Access-Control-Allow-Origin: * header, allowing unauthenticated attackers to make fully authenticated cross-origin API requests. This can lead to the creation of persistent backdoor super-admin accounts and exfiltration of sensitive configuration and user data.

Defensive priority

High

Recommended defensive actions

  • Update the Grav API plugin to version 1.0.0-rc.16 or later
  • Verify and restrict access to the plugin's API
  • Monitor for suspicious activity and potential unauthorized access
  • Consider implementing additional security measures such as token validation and IP restrictions
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-08T14:17:20.297Z and has not been modified since then. The NVD entry is currently Deferred. The Grav API plugin before version 1.0.0-rc.16 has a security vulnerability that allows unauthenticated attackers to make fully authenticated cross-origin API requests. This is possible because the plugin accepts JWT tokens via the ?token= URL query parameter and responds with an Access-Control-Allow-Origin: * header. Attackers who obtain a leaked JWT token can create persistent backdoor super-admin accounts and exfiltrate sensitive configuration and user data. Evidence is limited to CVE and NVD details.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T14:17:20.297Z and has not been modified since then. The NVD entry is currently Deferred.