CVE-2026-62231
Received Received - Intake

Authorization Bypass in Grav API Plugin

Vulnerability report for CVE-2026-62231, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

The Grav API plugin (getgrav/grav-plugin-api) before 1.0.6 contains an authorization bypass: API keys can be created with a restricted scopes array, but the ApiKeyAuthenticator class never reads or enforces these scopes. It loads and returns the owning user's full account object, so a key created with limited scopes (e.g. read-only) can perform any write, delete, or administrative operation the owning user is authorized for. Fixed in 1.0.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
getgrav grav_plugin_api 1.0.6
getgrav grav-plugin-api to 1.0.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-62231 is an authorization bypass in the Grav API plugin (getgrav/grav-plugin-api) before version 1.0.6. API keys can be created with restricted scopes, but the ApiKeyAuthenticator class does not enforce these scopes. This allows keys with limited permissions, such as read-only, to perform any action the key owner is authorized for, including write, delete, or administrative operations.

Detection Guidance

Check Grav API plugin version with: composer show getgrav/grav-plugin-api. If version is below 1.0.6, the system is vulnerable. Review API keys in Grav admin panel for unexpected scopes or unauthorized access.

Impact Analysis

This vulnerability allows attackers to bypass intended access restrictions. If an API key is created with limited scopes, such as read-only, it can still perform unauthorized write, delete, or administrative actions. This undermines the principle of least privilege and could lead to data breaches, unauthorized modifications, or system compromise.

Compliance Impact

This vulnerability can severely impact compliance with GDPR and HIPAA by enabling unauthorized access to sensitive data. GDPR requires strict access controls and data protection, while HIPAA mandates safeguards for protected health information. The bypass of access restrictions could lead to violations, unauthorized data exposure, and failure to meet regulatory requirements.

Mitigation Strategies

Upgrade Grav API plugin to version 1.0.6 or later immediately. Review and revoke all API keys, then regenerate them with proper scopes after upgrade. Monitor for unauthorized API activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62231. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart