PatchSiren cyber security CVE debrief
CVE-2026-62233 getgrav CVE debrief
CVE-2026-62233 is a high-severity vulnerability in grav-plugin-api before version 1.0.6. The vulnerability allows non-super admin users with api.users.write manager privileges to escalate to super-admin status by exploiting the createApiKey, generate2fa, and disable2fa endpoints. This could lead to full instance takeover by minting API keys bound to super-admin accounts or stripping 2FA from super-admin users.
- Vendor
- getgrav
- Product
- grav
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of grav-plugin-api versions before 1.0.6 should be concerned about this vulnerability. Specifically, administrators of Grav instances who have not updated to the latest version of the plugin are at risk. The vulnerability's high CVSS score of 8.7 indicates its potential for significant impact.
Technical summary
The grav-plugin-api before version 1.0.6 does not properly validate super-admin status in certain endpoints, including createApiKey, generate2fa, and disable2fa. This oversight allows users with manager privileges (api.users.write) to perform actions typically reserved for super-admins. By exploiting these endpoints, an attacker can escalate their privileges to super-admin, potentially leading to full control over the Grav instance. The vulnerability is characterized by a CVSS:4.0 score of 8.7, indicating high severity.
Defensive priority
High priority should be given to updating grav-plugin-api to version 1.0.6 or later. In the meantime, restricting access to the affected endpoints and closely monitoring for suspicious activity related to API key creation, 2FA management, and admin privilege changes is advisable.
Recommended defensive actions
- Update grav-plugin-api to version 1.0.6 or later immediately.
- Restrict access to the createApiKey, generate2fa, and disable2fa endpoints to only super-admin users.
- Monitor for suspicious activity related to API key creation and 2FA management.
- Implement additional logging and monitoring for admin privilege changes.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-17T02:18:10.890Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Limited information is available about the specific details of the vulnerability and its exploitation.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T02:18:10.890Z and has not been modified since then. The NVD entry is currently Received.