Back to overview

CVE-2026-62386

HIGH
7.5
CVSS 3.1
Description
The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 accepts JWT access tokens through the ?token= URL query parameter on every API route (JwtAuthenticator::extractBearerToken fallback). Because tokens are embedded in URLs, they are logged verbatim in web server access logs, leaked via the Referer header, stored in browser history, and captured by upstream proxy and CDN logs, exposing valid admin access tokens. A leaked token grants unauthorized API access, including reading configuration and user data, creating admin accounts, modifying system settings, and deleting pages.

Metadata

CVE ID
CVE-2026-62386
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-13 22:40 UTC
Published
2026-07-17 00:07 UTC
Last updated
2026-07-17 00:07 UTC
Primary CWE
CWE-598
Use of GET Request Method With Sensitive Query Strings
Vendor / Product
getgrav / grav
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
getgrav grav 0 < 1.0.0-rc.16, 1.0.0-rc.16
Weakness (CWE)
CWESourceDescription
CWE-598 cna Use of GET Request Method With Sensitive Query Strings
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.2 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References (2)
Back to overview