{"api_version":"1","generated_at":"2026-05-13T00:06:33+00:00","cve":"CVE-2026-42843","urls":{"html":"https://cve.report/CVE-2026-42843","api":"https://cve.report/api/cve/CVE-2026-42843.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-42843","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-42843"},"summary":{"title":"grav-plugin-api: Grav API Privilege Escalation to Super Admin","description":"Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-05-11 17:16:34","updated_at":"2026-05-11 20:25:42"},"problem_types":["CWE-863","CWE-863 CWE-863: Incorrect Authorization"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736","name":"https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-42843","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42843","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"getgrav","product":"grav-plugin-api","version":"affected < 1.0.0-beta.15","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-42843","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-05-11T18:51:01.009552Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-11T19:06:51.035Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"grav-plugin-api","vendor":"getgrav","versions":[{"status":"affected","version":"< 1.0.0-beta.15"}]}],"descriptions":[{"lang":"en","value":"Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-863","description":"CWE-863: Incorrect Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-11T15:54:33.485Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736","tags":["x_refsource_CONFIRM"],"url":"https://github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736"}],"source":{"advisory":"GHSA-r945-h4vm-h736","discovery":"UNKNOWN"},"title":"grav-plugin-api: Grav API Privilege Escalation to Super Admin"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-42843","datePublished":"2026-05-11T15:54:33.485Z","dateReserved":"2026-04-30T16:44:48.376Z","dateUpdated":"2026-05-11T19:06:51.035Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-11 17:16:34","lastModifiedDate":"2026-05-11 20:25:42","problem_types":["CWE-863","CWE-863 CWE-863: Incorrect Authorization"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"42843","Ordinal":"1","Title":"grav-plugin-api: Grav API Privilege Escalation to Super Admin","CVE":"CVE-2026-42843","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"42843","Ordinal":"1","NoteData":"Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE. This vulnerability is fixed in 1.0.0-beta.15.","Type":"Description","Title":"grav-plugin-api: Grav API Privilege Escalation to Super Admin"}]}}}