CVE-2026-62387
Received Received - Intake

Insecure CORS Configuration in Grav API Plugin

Vulnerability report for CVE-2026-62387, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 shipped Access-Control-Allow-Origin: * as its default CORS configuration on all responses, including authenticated endpoints and preflight (OPTIONS) responses. Because the plugin accepts credentials via the Authorization and X-API-Token headers (set programmatically by JavaScript rather than via cookies), an attacker who obtains a valid access token (e.g., via log leakage, Referer headers, browser history, or network capture) can issue fully authenticated cross-origin requests from any malicious website to read sensitive data and perform write operations as the token's user. Fixed in 1.0.0-rc.16.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
getgrav grav_plugin_api 1.0.0-rc.16
getgrav grav-plugin-api to 1.0.0-rc.16 (exc)
getgrav grav to 1.0.0-rc.16 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a CORS misconfiguration in the Grav API plugin (versions before 1.0.0-rc.16). The plugin incorrectly sets the Access-Control-Allow-Origin header to * for all responses, including authenticated endpoints. This allows attackers with a valid access token to send fully authenticated cross-origin requests from any malicious website, potentially exposing sensitive data or performing unauthorized actions.

Detection Guidance

Check Grav API plugin version with: grep -r "grav-plugin-api" /path/to/grav/ | grep version. Verify CORS headers by inspecting HTTP responses for Access-Control-Allow-Origin: * on authenticated endpoints using curl -I -X OPTIONS https://your-grav-site.com/api-endpoint.

Impact Analysis

If you use the Grav API plugin before version 1.0.0-rc.16, an attacker could exploit this to read sensitive data or perform actions on your behalf if they obtain your access token. Tokens could be leaked through logs, browser history, or network traffic. The attacker only needs to trick you into visiting their malicious site.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating confidentiality requirements in GDPR and HIPAA. Exposure of personal or health data due to improper CORS policies may result in non-compliance, potential fines, and legal consequences under these regulations.

Mitigation Strategies

Upgrade the Grav API plugin to version 1.0.0-rc.16 or later. Review and restrict CORS policies to trusted domains only. Rotate all exposed access tokens and credentials.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62387. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart