CVE-2026-61452
Received Received - Intake

Improper Session Invalidation in Grav API Plugin

Vulnerability report for CVE-2026-61452, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

The Grav API plugin (getgrav/grav-plugin-api) before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti (JWT ID) claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime (default 1 hour) regardless of logout, password change, new token issuance, or account disablement. An attacker who has stolen an access token retains full API access until the token naturally expires.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
getgrav grav_cms to 2.0.4 (exc)
getgrav grav_plugin_api to 2.0.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Grav API plugin before version 2.0.4 has an improper session invalidation issue where JWT access tokens are issued without a jti claim. This prevents server-side revocation of tokens, allowing them to remain valid for their full default lifetime of 1 hour even after logout, password changes, or account disablement.

Impact Analysis

If an attacker steals an access token, they can retain full API access until the token expires naturally. This includes unauthorized actions like data exfiltration, account manipulation, or privilege escalation. Users may also face persistent access even after logging out or changing passwords.

Compliance Impact

This vulnerability may violate compliance requirements for data access control and session management. GDPR requires timely revocation of access, while HIPAA mandates safeguards against unauthorized access. The inability to revoke tokens could lead to non-compliance and potential legal consequences.

Detection Guidance

Check Grav API plugin version with: grep -r "grav-plugin-api" /path/to/grav/installation. If version is less than 2.0.4, the system is vulnerable. Monitor network traffic for JWT tokens without jti claims using tools like Wireshark or tcpdump filtering for API endpoints.

Mitigation Strategies

Upgrade Grav API plugin to version 2.0.4 or later immediately. Reduce JWT access token lifetime to less than 1 hour. Implement server-side token revocation by adding jti claims to access tokens. Rotate all existing tokens after updating.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61452. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart