Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42843

CVE-2026-42843: Grav API Plugin Privilege Escalation

CVE-2026-42843 is a privilege escalation vulnerability in Grav API Plugin that allows authenticated users to escalate to Super Administrator access. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-42843 Overview

CVE-2026-42843 is a privilege escalation vulnerability in the Grav API Plugin, a RESTful API providing headless access to Grav CMS content, media, configuration, and system management. The flaw resides in the UsersController::update method and combines an insecure direct object reference with a logic flaw. Any authenticated user holding basic API access (api.access) can modify their own permission configuration. Attackers can elevate their account to Super Administrator by granting themselves admin.super and api.super permissions. This grants full administrative control over the CMS and can lead to remote code execution. The issue is fixed in version 1.0.0-beta.15.

Critical Impact

Authenticated low-privilege users can escalate to Super Administrator, resulting in full system compromise and potential RCE on Grav CMS instances.

Affected Products

  • Grav API Plugin versions prior to 1.0.0-beta.15
  • Grav CMS deployments with the API Plugin enabled
  • Headless Grav implementations exposing the REST API

Discovery Timeline

  • 2026-05-11 - CVE-2026-42843 published to NVD
  • 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-42843

Vulnerability Analysis

The vulnerability stems from improper authorization checks in the UsersController::update endpoint of the Grav API Plugin. The endpoint accepts user permission fields in the update payload without validating whether the requesting user has authority to modify those specific fields. An authenticated attacker holding the minimal api.access permission can submit an update request targeting their own user record and inject elevated permissions into the payload. The plugin processes the payload and persists the modified permissions, including administrative scopes like admin.super and api.super. This issue maps to [CWE-863]: Incorrect Authorization.

Root Cause

The root cause is a missing authorization boundary between user-modifiable profile fields and permission-controlling fields. The update handler treats all submitted fields equivalently, trusting client-supplied permission data. There is no role-based check confirming that the caller possesses administrative rights before applying permission changes.

Attack Vector

An attacker first obtains valid credentials for any account with api.access, which may be a standard API consumer or registered user. The attacker sends an authenticated HTTP request to the user update endpoint, targeting their own user identifier. The request body includes a permissions object granting admin.super and api.super privileges. Upon success, the attacker holds Super Administrator rights and can manage system configuration, install plugins, or execute code via Grav's administrative features.

See the GitHub Security Advisory for technical details.

Detection Methods for CVE-2026-42843

Indicators of Compromise

  • Unexpected API requests to the Grav user update endpoint that include admin.super or api.super permission fields in the JSON body.
  • User accounts whose permission set was modified outside of an administrator session or known provisioning workflow.
  • New or existing low-privilege users gaining administrative panel access shortly after authenticating to the API.

Detection Strategies

  • Audit the Grav user store and configuration files for accounts holding admin.super or api.super that were not provisioned by administrators.
  • Inspect web server access logs for PUT or PATCH requests to user update routes originating from non-admin sessions.
  • Correlate authentication events with subsequent permission changes to identify self-elevation patterns.

Monitoring Recommendations

  • Enable verbose API request logging on the Grav API Plugin and forward logs to a centralized analytics platform.
  • Alert on any modification to user permission fields, especially when the actor and the target user are identical.
  • Monitor for downstream administrative actions such as plugin installation, theme uploads, or scheduler edits performed by recently elevated accounts.

How to Mitigate CVE-2026-42843

Immediate Actions Required

  • Upgrade the Grav API Plugin to version 1.0.0-beta.15 or later on all affected instances.
  • Review every user account for unauthorized admin.super or api.super grants and revoke them.
  • Rotate API tokens and credentials for users who held api.access prior to patching.

Patch Information

The maintainers fixed CVE-2026-42843 in Grav API Plugin 1.0.0-beta.15. The patch enforces authorization checks in UsersController::update so that callers cannot modify permission fields without administrative rights. Refer to the GitHub Security Advisory GHSA-r945-h4vm-h736 for release notes.

Workarounds

  • Disable the Grav API Plugin until the patched version can be deployed if upgrade is not immediately possible.
  • Restrict network access to the API endpoints using a reverse proxy or web application firewall, allowing only trusted IP ranges.
  • Remove api.access from non-essential user accounts to reduce the attacker pool that can reach the vulnerable endpoint.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.