CVE-2026-42843
published 2026-05-11CVE-2026-42843: Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.35%
26.9th percentile
Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav-plugin-api | < 1.0.0-beta.15 | 1.0.0-beta.15 |
| getgrav | grav-plugin-api | — | — |
| getgrav | grav-plugin-api | >= 0 < 1.0.0-beta.15 | 1.0.0-beta.15 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
getgrav grav-plugin-api up to 1.0.0-beta.14 UsersController::update authorization (GHSA-r945-h4vm-h736)
vuldb·2026-05-11·CVSS 8.8
CVE-2026-42843 [HIGH] getgrav grav-plugin-api up to 1.0.0-beta.14 UsersController::update authorization (GHSA-r945-h4vm-h736)
A vulnerability described as critical has been identified in getgrav grav-plugin-api up to 1.0.0-beta.14. Affected is the function UsersController::update. The manipulation results in incorrect authorization.
This vulnerability is cataloged as CVE-2026-42843. The attack may be launched remotely. There is no exploit available.
Upgrading the affected component is recommended.
GHSA
Grav API Privilege Escalation to Super Admin
ghsa·2026-05-05
CVE-2026-42843 [HIGH] CWE-863 Grav API Privilege Escalation to Super Admin
Grav API Privilege Escalation to Super Admin
### Summary
An insecure direct object reference and logic flaw in the Grav API plugin (`UsersController::update`) allows any authenticated user with basic API access (`api.access`) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (`admin.super` and `api.super`), leading to full system compromise and potential RCE.
### Details
The vulnerability is located in `user/plugins/api/classes/Api/Controllers/UsersController.php` within the `update` method.
The API allows users to update their own profiles if they possess the basic `api.access` permission:
```php
// UsersController.php -> update()
$isSelf = $currentUser->username === $username;
if (!$isSelf) {
$this->requir
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-11
Published