CVE-2026-62386
Received Received - Intake

JWT Token Exposure via URL Parameter in Grav API Plugin

Vulnerability report for CVE-2026-62386, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 accepts JWT access tokens through the ?token= URL query parameter on every API route (JwtAuthenticator::extractBearerToken fallback). Because tokens are embedded in URLs, they are logged verbatim in web server access logs, leaked via the Referer header, stored in browser history, and captured by upstream proxy and CDN logs, exposing valid admin access tokens. A leaked token grants unauthorized API access, including reading configuration and user data, creating admin accounts, modifying system settings, and deleting pages.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
getgrav grav_plugin_api to 1.0.0-rc.16 (exc)
getgrav grav to 1.0.0-rc.16 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-598 The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-62386 is a high-severity authentication bypass in the Grav API plugin before version 1.0.0-rc.16. It allows JWT access tokens to be passed via the ?token= URL query parameter on all API routes due to a fallback mechanism. This exposes tokens in web server logs, Referer headers, browser history, and proxy/CDN logs, enabling unauthorized administrative API access if tokens are leaked.

Detection Guidance

Check web server access logs for URLs containing ?token= followed by JWT-like strings. Inspect browser history and Referer headers for exposed tokens. Use network monitoring tools to detect unusual API requests with token parameters.

Impact Analysis

If exploited, an attacker with a leaked token can gain full administrative API access. This includes reading configurations and user data, creating admin accounts, modifying system settings, and deleting pages. The vulnerability is particularly dangerous because tokens are exposed in logs and browser history, increasing the risk of unauthorized access.

Compliance Impact

This vulnerability could lead to non-compliance with GDPR and HIPAA due to unauthorized access to sensitive user data and configurations. GDPR requires protecting personal data, while HIPAA mandates securing protected health information. A breach via this flaw would violate these regulations, potentially resulting in legal penalties and reputational damage.

Mitigation Strategies

Upgrade the Grav API plugin to version 1.0.0-rc.16 or later. Disable token transmission via URL parameters by configuring the plugin to only accept tokens from headers. Rotate all exposed JWT tokens immediately.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62386. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart