VYPR
High severity8.8GHSA Advisory· Published May 11, 2026· Updated May 27, 2026

CVE-2026-42843

CVE-2026-42843

Description

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
getgrav/grav-plugin-apiPackagist
< 1.0.0-beta.151.0.0-beta.15

Affected products

16
  • Range: < 1.0.0-beta.15
  • cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta1:*:*:*:*:*:*+ 13 more
    • cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta10:*:*:*:*:*:*
    • cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta11:*:*:*:*:*:*
    • cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta12:*:*:*:*:*:*
    • cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta13:*:*:*:*:*:*
    • cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta14:*:*:*:*:*:*
    • cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta5:*:*:*:*:*:*
    • cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta6:*:*:*:*:*:*
    • cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta7:*:*:*:*:*:*
    • cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta8:*:*:*:*:*:*
    • cpe:2.3:a:getgrav:grav-plugin-api:1.0.0:beta9:*:*:*:*:*:*
  • ghsa-coords
    Range: < 1.0.0-beta.15

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.