CVE-2026-42843 Overview
CVE-2026-42843 is a privilege escalation vulnerability in the Grav API Plugin, a RESTful API providing headless access to Grav CMS content, media, configuration, and system management. The flaw resides in the UsersController::update method and combines an insecure direct object reference with a logic flaw. Any authenticated user holding basic API access (api.access) can modify their own permission configuration. Attackers can elevate their account to Super Administrator by granting themselves admin.super and api.super permissions. This grants full administrative control over the CMS and can lead to remote code execution. The issue is fixed in version 1.0.0-beta.15.
Critical Impact
Authenticated low-privilege users can escalate to Super Administrator, resulting in full system compromise and potential RCE on Grav CMS instances.
Affected Products
- Grav API Plugin versions prior to 1.0.0-beta.15
- Grav CMS deployments with the API Plugin enabled
- Headless Grav implementations exposing the REST API
Discovery Timeline
- 2026-05-11 - CVE-2026-42843 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42843
Vulnerability Analysis
The vulnerability stems from improper authorization checks in the UsersController::update endpoint of the Grav API Plugin. The endpoint accepts user permission fields in the update payload without validating whether the requesting user has authority to modify those specific fields. An authenticated attacker holding the minimal api.access permission can submit an update request targeting their own user record and inject elevated permissions into the payload. The plugin processes the payload and persists the modified permissions, including administrative scopes like admin.super and api.super. This issue maps to [CWE-863]: Incorrect Authorization.
Root Cause
The root cause is a missing authorization boundary between user-modifiable profile fields and permission-controlling fields. The update handler treats all submitted fields equivalently, trusting client-supplied permission data. There is no role-based check confirming that the caller possesses administrative rights before applying permission changes.
Attack Vector
An attacker first obtains valid credentials for any account with api.access, which may be a standard API consumer or registered user. The attacker sends an authenticated HTTP request to the user update endpoint, targeting their own user identifier. The request body includes a permissions object granting admin.super and api.super privileges. Upon success, the attacker holds Super Administrator rights and can manage system configuration, install plugins, or execute code via Grav's administrative features.
See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-42843
Indicators of Compromise
- Unexpected API requests to the Grav user update endpoint that include admin.super or api.super permission fields in the JSON body.
- User accounts whose permission set was modified outside of an administrator session or known provisioning workflow.
- New or existing low-privilege users gaining administrative panel access shortly after authenticating to the API.
Detection Strategies
- Audit the Grav user store and configuration files for accounts holding admin.super or api.super that were not provisioned by administrators.
- Inspect web server access logs for PUT or PATCH requests to user update routes originating from non-admin sessions.
- Correlate authentication events with subsequent permission changes to identify self-elevation patterns.
Monitoring Recommendations
- Enable verbose API request logging on the Grav API Plugin and forward logs to a centralized analytics platform.
- Alert on any modification to user permission fields, especially when the actor and the target user are identical.
- Monitor for downstream administrative actions such as plugin installation, theme uploads, or scheduler edits performed by recently elevated accounts.
How to Mitigate CVE-2026-42843
Immediate Actions Required
- Upgrade the Grav API Plugin to version 1.0.0-beta.15 or later on all affected instances.
- Review every user account for unauthorized admin.super or api.super grants and revoke them.
- Rotate API tokens and credentials for users who held api.access prior to patching.
Patch Information
The maintainers fixed CVE-2026-42843 in Grav API Plugin 1.0.0-beta.15. The patch enforces authorization checks in UsersController::update so that callers cannot modify permission fields without administrative rights. Refer to the GitHub Security Advisory GHSA-r945-h4vm-h736 for release notes.
Workarounds
- Disable the Grav API Plugin until the patched version can be deployed if upgrade is not immediately possible.
- Restrict network access to the API endpoints using a reverse proxy or web application firewall, allowing only trusted IP ranges.
- Remove api.access from non-essential user accounts to reduce the attacker pool that can reach the vulnerable endpoint.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
