CVE-2026-62235
Received Received - Intake

Grav Flex-Objects Admin-Next API Broken Access Control

Vulnerability report for CVE-2026-62235, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

Grav Flex-Objects before version 1.4.3 contains a broken access control vulnerability in the admin-next REST API that allows authenticated users with only api.access permission to perform unauthorized CRUD operations on permission-less directories. Attackers with api.access credentials can create, read, update, delete, and export objects from any directory lacking an explicit permissions configuration, bypassing intended authorization controls.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
grav flex-objects to 1.4.3 (exc)
getgrav grav-plugin-flex-objects to 1.4.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-636 When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Grav Flex-Objects before version 1.4.3 has a broken access control flaw in its admin-next REST API. Authenticated users with only api.access permission can perform unauthorized CRUD operations on directories without explicit permissions. This bypasses intended authorization controls, allowing manipulation of objects in permission-less directories.

Detection Guidance

To detect this vulnerability, check if your Grav Flex-Objects plugin version is below 1.4.3. Use commands like 'composer show grav-plugin-flex-objects' or inspect the plugin directory for version details. Review API access logs for unauthorized CRUD operations on permission-less directories.

Impact Analysis

Attackers with api.access credentials could create, read, update, delete, or export sensitive data from directories they shouldn't access. This could lead to data theft, unauthorized modifications, or system compromise depending on the affected Grav CMS installation.

Compliance Impact

This vulnerability could violate compliance requirements by allowing unauthorized access to sensitive data. GDPR requires protecting personal data, while HIPAA mandates securing protected health information. Unauthorized data exposure or modification could result in regulatory penalties.

Mitigation Strategies

Immediately update Grav Flex-Objects to version 1.4.3 or later. If updating is not possible, restrict api.access permissions to only trusted users and audit directory permissions to ensure all directories have explicit permission configurations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62235. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart