Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-58656

CVE-2026-58656: Grav API Plugin Auth Bypass Vulnerability

CVE-2026-58656 is an authentication bypass flaw in Grav API plugin that allows attackers to exploit leaked JWT tokens for unauthorized cross-origin API requests. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-58656 Overview

CVE-2026-58656 affects the Grav API plugin before version 1.0.0-rc.16. The plugin accepts JSON Web Token (JWT) authentication via the ?token= URL query parameter and responds with the Access-Control-Allow-Origin: * header. This combination allows unauthenticated attackers to issue fully authenticated cross-origin API requests from any malicious website. Attackers who obtain a leaked JWT from access logs, proxy logs, browser history, or HTTP Referer headers can create persistent super-admin backdoor accounts and exfiltrate configuration and user data. The weakness is categorized under [CWE-598] (Use of GET Request Method With Sensitive Query Strings).

Critical Impact

A single leaked JWT enables full administrative takeover of the Grav content management system and persistent backdoor account creation.

Affected Products

  • Grav CMS API plugin versions prior to 1.0.0-rc.16
  • Grav installations exposing the API plugin endpoint to the internet
  • Deployments behind reverse proxies or CDNs that log full request URLs

Discovery Timeline

  • 2026-07-08 - CVE-2026-58656 published to the National Vulnerability Database
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-58656

Vulnerability Analysis

The Grav API plugin exposes two design flaws that combine into an account takeover primitive. First, the plugin accepts JWT credentials through the ?token= URL query string instead of restricting them to the Authorization header. Query string parameters are routinely persisted by web servers, upstream proxies, CDNs, browser history, and third-party analytics. Any component along that path can leak the credential.

Second, the plugin returns Access-Control-Allow-Origin: * on API responses. This wildcard Cross-Origin Resource Sharing (CORS) policy tells browsers to allow any origin to read the response body. When combined with token-in-URL authentication, a malicious page hosted anywhere on the internet can call the Grav API with a captured token and read the results directly.

An attacker who recovers a valid JWT can invoke administrative endpoints to create a new super-admin user, alter site configuration, or dump the user database. Because the JWT authenticates the caller, no session cookie, CSRF token, or same-origin restriction blocks the request.

Root Cause

The root cause is the intersection of two insecure defaults: sensitive bearer credentials placed in URL query strings and a permissive CORS policy that treats the API as fully public. Either issue in isolation is unsafe; together they eliminate the browser's cross-origin protections that would normally isolate authenticated APIs.

Attack Vector

Exploitation occurs remotely over the network with no authentication and no user interaction beyond the attacker obtaining a leaked token. Sources of token leakage include Apache or Nginx access logs, reverse proxy logs, SIEM ingestion pipelines, referrer headers sent to external assets, and shared browser history. Once the attacker has the JWT, they issue requests such as GET /api/users?token=<jwt> from an attacker-controlled origin and receive the response body due to the wildcard CORS header. The follow-on step is to POST a new administrator account and retain persistent access even after the original token expires.

Detection Methods for CVE-2026-58656

Indicators of Compromise

  • Web server access log entries containing ?token= or &token= parameters against /api/ paths
  • Creation of new administrator or super-admin accounts in user/accounts/ outside change windows
  • Unexpected POST requests to Grav API user management endpoints from external referrers
  • Outbound HTTP responses carrying Access-Control-Allow-Origin: * alongside authenticated JSON bodies

Detection Strategies

  • Alert on any HTTP request to Grav API endpoints where token appears as a URL query parameter
  • Correlate administrator account creation events with the source IP and User-Agent of preceding API calls
  • Baseline the set of Origin and Referer headers seen against the API and flag new external origins

Monitoring Recommendations

  • Ship web server, reverse proxy, and CDN access logs to a central store and scrub or hash query strings before retention
  • Monitor Grav user/accounts/ directory for file additions and modifications
  • Track outbound traffic from the CMS host for unusual data volumes indicative of configuration or user exfiltration

How to Mitigate CVE-2026-58656

Immediate Actions Required

  • Upgrade the Grav API plugin to 1.0.0-rc.16 or later immediately
  • Invalidate all existing JWTs and rotate signing secrets to void tokens already exposed in logs
  • Audit user/accounts/ for unauthorized administrator accounts and remove any that cannot be attributed
  • Purge historical web server, proxy, and CDN logs that captured tokens in URLs

Patch Information

The maintainers addressed the issue in Grav API plugin version 1.0.0-rc.16. Refer to the GitHub Security Advisory GHSA-hqm9-5xxw-4qxp and the VulnCheck advisory for the full remediation notes.

Workarounds

  • Restrict the Grav API endpoint at the reverse proxy layer to trusted source IP ranges until patching completes
  • Strip token query parameters at the edge and require the Authorization: Bearer header instead
  • Override the CORS response to a specific trusted origin rather than * via web server configuration
  • Disable the API plugin entirely if it is not required for the deployment
bash
# Nginx snippet: block token in query string and tighten CORS
location /api/ {
    if ($arg_token) { return 400; }
    add_header Access-Control-Allow-Origin "https://admin.example.com" always;
    add_header Vary "Origin" always;
    proxy_pass http://grav_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.