PatchSiren cyber security CVE debrief
CVE-2026-58656 getgrav CVE debrief
The Grav API plugin before version 1.0.0-rc.16 has a security vulnerability that allows unauthenticated attackers to make fully authenticated cross-origin API requests. This is possible because the plugin accepts JWT tokens via the ?token= URL query parameter and responds with an Access-Control-Allow-Origin: * header. Attackers who obtain a leaked JWT token can create persistent backdoor super-admin accounts and exfiltrate sensitive configuration and user data. The vulnerability has a CVSS score of 8.7 and is considered HIGH severity.
- Vendor
- getgrav
- Product
- grav
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
Administrators and users of the Grav API plugin should be aware of this vulnerability and take immediate action to update to version 1.0.0-rc.16 or later. Additionally, anyone who has used the plugin's API or has access to the plugin's configuration should be cautious of potential unauthorized access.
Technical summary
The Grav API plugin before version 1.0.0-rc.16 is vulnerable to cross-origin requests due to its handling of JWT tokens via URL query parameters and its response headers. Specifically, the plugin accepts JWT tokens via the ?token= URL query parameter and responds with an Access-Control-Allow-Origin: * header, allowing unauthenticated attackers to make fully authenticated cross-origin API requests. This can lead to the creation of persistent backdoor super-admin accounts and exfiltration of sensitive configuration and user data.
Defensive priority
High
Recommended defensive actions
- Update the Grav API plugin to version 1.0.0-rc.16 or later
- Verify and restrict access to the plugin's API
- Monitor for suspicious activity and potential unauthorized access
- Consider implementing additional security measures such as token validation and IP restrictions
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-08T14:17:20.297Z and has not been modified since then. The NVD entry is currently Deferred. The Grav API plugin before version 1.0.0-rc.16 has a security vulnerability that allows unauthenticated attackers to make fully authenticated cross-origin API requests. This is possible because the plugin accepts JWT tokens via the ?token= URL query parameter and responds with an Access-Control-Allow-Origin: * header. Attackers who obtain a leaked JWT token can create persistent backdoor super-admin accounts and exfiltrate sensitive configuration and user data. Evidence is limited to CVE and NVD details.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T14:17:20.297Z and has not been modified since then. The NVD entry is currently Deferred.