CVE-2026-61451
Received Received - Intake

Password Reset Link Spoofing in Grav API Plugin

Vulnerability report for CVE-2026-61451, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

The Grav API plugin (grav-plugin-api) before 1.0.4 does not validate the origin of the client-supplied admin_base_url field in the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl() function only checks that the URL scheme is http/https and never verifies the host against the server's own origin, so an attacker can supply an arbitrary host. As a result, an unauthenticated attacker can cause the password reset email sent to a victim to contain a reset link pointing at an attacker-controlled server; when the victim follows the link, the valid reset token is disclosed to the attacker, enabling full account takeover. The vulnerable base URL can also be influenced via the Referer or Origin headers.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
getgrav grav to 1.0.4 (exc)
grav grav-plugin-api to 1.0.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a password reset token poisoning flaw in the Grav API plugin (grav-plugin-api) before version 1.0.4. The issue occurs because the admin_base_url field in the password reset endpoint is not properly validated. The sanitizeHttpUrl() function only checks if the URL uses http or https but does not verify if the host matches the server's origin. This allows attackers to supply arbitrary hosts, causing password reset emails to include links pointing to attacker-controlled servers. When victims click these links, their valid reset tokens are exposed to the attacker, enabling full account takeover.

Impact Analysis

An unauthenticated attacker can exploit this to gain full control over any user account, including superadmin accounts, by capturing password reset tokens. Attackers can then modify page content, install plugins or themes, manage files, and potentially execute remote code on the server. Victims may unknowingly expose their reset tokens by following poisoned links in legitimate-looking emails.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive user data, violating confidentiality requirements under GDPR and HIPAA. Full account takeover may result in data breaches, unauthorized modifications, or data exfiltration, all of which are compliance violations. Organizations using vulnerable Grav versions may face regulatory penalties and reputational damage.

Detection Guidance

To detect this vulnerability, check if your Grav CMS with the API plugin (grav-plugin-api) is running a version before 1.0.4. Inspect the Grav admin interface or server files for the plugin version. Review server logs for unusual password reset requests or emails sent to unexpected domains.

Mitigation Strategies

Immediately update the Grav API plugin to version 1.0.4 or later. Disable the password reset endpoint if not needed. Monitor for suspicious password reset requests or emails. Consider implementing network-level controls to block external domains in reset links.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61451. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart