PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-62233 getgrav CVE debrief

CVE-2026-62233 is a high-severity vulnerability in grav-plugin-api before version 1.0.6. The vulnerability allows non-super admin users with api.users.write manager privileges to escalate to super-admin status by exploiting the createApiKey, generate2fa, and disable2fa endpoints. This could lead to full instance takeover by minting API keys bound to super-admin accounts or stripping 2FA from super-admin users.

Vendor
getgrav
Product
grav
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of grav-plugin-api versions before 1.0.6 should be concerned about this vulnerability. Specifically, administrators of Grav instances who have not updated to the latest version of the plugin are at risk. The vulnerability's high CVSS score of 8.7 indicates its potential for significant impact.

Technical summary

The grav-plugin-api before version 1.0.6 does not properly validate super-admin status in certain endpoints, including createApiKey, generate2fa, and disable2fa. This oversight allows users with manager privileges (api.users.write) to perform actions typically reserved for super-admins. By exploiting these endpoints, an attacker can escalate their privileges to super-admin, potentially leading to full control over the Grav instance. The vulnerability is characterized by a CVSS:4.0 score of 8.7, indicating high severity.

Defensive priority

High priority should be given to updating grav-plugin-api to version 1.0.6 or later. In the meantime, restricting access to the affected endpoints and closely monitoring for suspicious activity related to API key creation, 2FA management, and admin privilege changes is advisable.

Recommended defensive actions

  • Update grav-plugin-api to version 1.0.6 or later immediately.
  • Restrict access to the createApiKey, generate2fa, and disable2fa endpoints to only super-admin users.
  • Monitor for suspicious activity related to API key creation and 2FA management.
  • Implement additional logging and monitoring for admin privilege changes.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-17T02:18:10.890Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Limited information is available about the specific details of the vulnerability and its exploitation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T02:18:10.890Z and has not been modified since then. The NVD entry is currently Received.