PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-62386 getgrav CVE debrief

The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 has a security vulnerability. It accepts JWT access tokens through the ?token= URL query parameter on every API route due to a fallback in JwtAuthenticator::extractBearerToken. This causes tokens to be logged in web server access logs, leaked via the Referer header, stored in browser history, and captured by upstream proxy and CDN logs. A leaked token allows unauthorized API access, including reading configuration and user data, creating admin accounts, modifying system settings, and deleting pages.

Vendor
getgrav
Product
grav
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Administrators and users of the Grav API plugin, especially those with admin access, should be aware of this vulnerability. Immediate action is required to prevent unauthorized access.

Technical summary

The Grav API plugin before 1.0.0-rc.16 is vulnerable to JWT token exposure. The plugin accepts JWT access tokens through the URL query parameter ?token= on all API routes. This insecure practice leads to token leakage through various channels, including web server logs, Referer headers, browser history, and proxy/CDN logs. An attacker with access to these logs can obtain valid admin access tokens, granting them unauthorized API access. This access enables malicious activities such as reading sensitive configuration and user data, creating new admin accounts, modifying system settings, and deleting pages.

Defensive priority

High priority should be given to updating the Grav API plugin to version 1.0.0-rc.16 or later. In the meantime, administrators should consider disabling the use of JWT tokens via URL query parameters or implementing additional logging and monitoring to detect potential token leaks.

Recommended defensive actions

  • Update the Grav API plugin to version 1.0.0-rc.16 or later immediately.
  • Disable the use of JWT tokens via URL query parameters if possible.
  • Implement additional logging and monitoring to detect potential token leaks.
  • Review web server access logs, Referer headers, and proxy/CDN logs for any suspicious activity.
  • Consider rotating or revoking existing JWT tokens as a precautionary measure.

Evidence notes

The CVE record was published on 2026-07-17T02:18:11.903Z and has not been modified since then. The NVD entry is currently in the 'Received' status. References include GitHub security advisories and Vulncheck advisories.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T02:18:11.903Z and has not been modified since then. The NVD entry is currently Received.