CVE-2026-62386 PUBLISHED

Grav < 1.0.0-rc.16 Authentication Bypass via token URL Parameter

Assigner: VulnCheck
Reserved: 13.07.2026 Published: 17.07.2026 Updated: 17.07.2026

The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 accepts JWT access tokens through the ?token= URL query parameter on every API route (JwtAuthenticator::extractBearerToken fallback). Because tokens are embedded in URLs, they are logged verbatim in web server access logs, leaked via the Referer header, stored in browser history, and captured by upstream proxy and CDN logs, exposing valid admin access tokens. A leaked token grants unauthorized API access, including reading configuration and user data, creating admin accounts, modifying system settings, and deleting pages.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.2

Product Status

Vendor getgrav
Product grav
Versions Default: unaffected
  • affected from 0 to 1.0.0-rc.16 (excl.)
  • Version 1.0.0-rc.16 is unaffected

Credits

  • nicl4ssic reporter

References

Problem Types

  • Use of GET Request Method With Sensitive Query Strings CWE