PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-62231 getgrav CVE debrief

The Grav API plugin (getgrav/grav-plugin-api) before 1.0.6 contains an authorization bypass vulnerability. API keys can be created with a restricted scopes array, but the ApiKeyAuthenticator class never reads or enforces these scopes. It loads and returns the owning user's full account object, allowing a key created with limited scopes (e.g., read-only) to perform any write, delete, or administrative operation the owning user is authorized for. This issue was fixed in version 1.0.6. The vulnerability can be exploited by an attacker with a limited-scope API key, potentially leading to unauthorized access and modification of sensitive data.

Vendor
getgrav
Product
grav
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of the Grav API plugin, especially those who have not upgraded to version 1.0.6, should be aware of this vulnerability and take necessary precautions to protect their systems. This includes reviewing and restricting API key scopes, monitoring API usage for suspicious activity, and implementing additional security measures.

Technical summary

The Grav API plugin before 1.0.6 is vulnerable to an authorization bypass. When creating API keys, users can specify a restricted scopes array. However, the ApiKeyAuthenticator class does not enforce these scopes, allowing users with limited-scope keys to perform operations beyond their intended permissions. This vulnerability can be exploited by an attacker with a limited-scope API key, potentially leading to unauthorized access and modification of sensitive data. The issue was fixed in version 1.0.6.

Defensive priority

High

Recommended defensive actions

  • Upgrade the Grav API plugin to version 1.0.6 or later
  • Review and restrict API key scopes
  • Monitor API usage for suspicious activity
  • Implement additional security measures, such as IP whitelisting or rate limiting
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-17T02:18:10.587Z and has not been modified since then. The NVD entry is currently in the 'Received' status. The source details are limited, and further verification is needed to confirm the affected scope and severity. Defenders should review the official CVE record and NVD entry for more information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T02:18:10.587Z and has not been modified since then. The NVD entry is currently Received.