CVE-2026-62235 PUBLISHED

Grav Flex-Objects < 1.4.3 Authorization Bypass via API

Assigner: VulnCheck
Reserved: 13.07.2026 Published: 17.07.2026 Updated: 17.07.2026

Grav Flex-Objects before version 1.4.3 contains a broken access control vulnerability in the admin-next REST API that allows authenticated users with only api.access permission to perform unauthorized CRUD operations on permission-less directories. Attackers with api.access credentials can create, read, update, delete, and export objects from any directory lacking an explicit permissions configuration, bypassing intended authorization controls.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
CVSS Score: 2.3

Product Status

Vendor getgrav
Product grav
Versions Default: unaffected
  • affected from 0 to 1.4.3 (excl.)
  • Version 1.4.3 is unaffected

Credits

  • CyberKareem finder

References

Problem Types

  • Missing Authorization CWE
  • Not Failing Securely ('Failing Open') CWE