Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 17 Jul 2026 00:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | grav-plugin-api before 1.0.6 fails to validate super-admin status in createApiKey, generate2fa, and disable2fa endpoints, allowing non-super api.users.write managers to escalate to super-admin. Attackers can mint API keys bound to super-admin accounts or strip 2FA from super-admin users to achieve full instance takeover. | |
| Title | grav-plugin-api < 1.0.6 Privilege Escalation via createApiKey | |
| First Time appeared |
Getgrav
Getgrav grav |
|
| Weaknesses | CWE-639 CWE-862 |
|
| CPEs | cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Getgrav
Getgrav grav |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-17T00:07:09.028Z
Reserved: 2026-07-13T16:40:10.962Z
Link: CVE-2026-62233
No data.
No data.
No data.
OpenCVE Enrichment
No data.