PatchSiren cyber security CVE debrief
CVE-2026-62386 getgrav CVE debrief
The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 has a security vulnerability. It accepts JWT access tokens through the ?token= URL query parameter on every API route due to a fallback in JwtAuthenticator::extractBearerToken. This causes tokens to be logged in web server access logs, leaked via the Referer header, stored in browser history, and captured by upstream proxy and CDN logs. A leaked token allows unauthorized API access, including reading configuration and user data, creating admin accounts, modifying system settings, and deleting pages.
- Vendor
- getgrav
- Product
- grav
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Administrators and users of the Grav API plugin, especially those with admin access, should be aware of this vulnerability. Immediate action is required to prevent unauthorized access.
Technical summary
The Grav API plugin before 1.0.0-rc.16 is vulnerable to JWT token exposure. The plugin accepts JWT access tokens through the URL query parameter ?token= on all API routes. This insecure practice leads to token leakage through various channels, including web server logs, Referer headers, browser history, and proxy/CDN logs. An attacker with access to these logs can obtain valid admin access tokens, granting them unauthorized API access. This access enables malicious activities such as reading sensitive configuration and user data, creating new admin accounts, modifying system settings, and deleting pages.
Defensive priority
High priority should be given to updating the Grav API plugin to version 1.0.0-rc.16 or later. In the meantime, administrators should consider disabling the use of JWT tokens via URL query parameters or implementing additional logging and monitoring to detect potential token leaks.
Recommended defensive actions
- Update the Grav API plugin to version 1.0.0-rc.16 or later immediately.
- Disable the use of JWT tokens via URL query parameters if possible.
- Implement additional logging and monitoring to detect potential token leaks.
- Review web server access logs, Referer headers, and proxy/CDN logs for any suspicious activity.
- Consider rotating or revoking existing JWT tokens as a precautionary measure.
Evidence notes
The CVE record was published on 2026-07-17T02:18:11.903Z and has not been modified since then. The NVD entry is currently in the 'Received' status. References include GitHub security advisories and Vulncheck advisories.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T02:18:11.903Z and has not been modified since then. The NVD entry is currently Received.