CVE-2026-61452 in Gravالمعلومات

الملخص

بحسب MITRE • 15/07/2026

The Grav API plugin (getgrav/grav-plugin-api) before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti (JWT ID) claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime (default 1 hour) regardless of logout, password change, new token issuance, or account disablement. An attacker who has stolen an access token retains full API access until the token naturally expires.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

مسؤول

VulnCheck

حجز

09/07/2026

إفشاء

15/07/2026

الاعتدال

تمت الموافقة

إدخال

VDB-379248

EPSS

0.00000

KEV

لا

النشاطات

منخفض جدًا

المصادر

Might our Artificial Intelligence support you?

Check our Alexa App!