CVE-2026-61452 in Gravinfo

Summary

by MITRE • 07/15/2026

The Grav API plugin (getgrav/grav-plugin-api) before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti (JWT ID) claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime (default 1 hour) regardless of logout, password change, new token issuance, or account disablement. An attacker who has stolen an access token retains full API access until the token naturally expires.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability in the Grav API plugin affects versions prior to 2.0.4 and represents a critical session management flaw that undermines the security of JWT-based authentication systems. This issue stems from the absence of jti (JWT ID) claims in issued access tokens, which creates a fundamental weakness in token revocation capabilities. The implementation fails to provide server-side mechanisms for invalidating individual tokens, leaving access tokens permanently valid throughout their entire lifecycle regardless of user state changes or security events.

The technical flaw manifests as an improper session invalidation pattern that violates established security best practices for token-based authentication systems. Without jti claims, the server cannot maintain a revocation list or track token usage effectively, making it impossible to invalidate access tokens when users log out, change passwords, or when accounts are disabled. This vulnerability directly impacts the principle of least privilege and breaks the expected behavior of session management where tokens should be invalidated upon user actions that compromise security. The absence of jti claims means that tokens function as long-lived credentials with no mechanism for immediate revocation, creating a persistent attack surface that remains active until natural expiration.

Operational impact of this vulnerability extends beyond simple authentication bypasses to encompass complete API access persistence for attackers who acquire valid access tokens through various means such as network interception, credential theft, or application vulnerabilities. The default one-hour lifetime of these tokens provides attackers with substantial window of opportunity to exploit compromised credentials without detection, particularly in environments where monitoring is insufficient or token rotation practices are not implemented. This weakness enables persistent unauthorized access to sensitive API endpoints and data, potentially leading to data exfiltration, privilege escalation, or further exploitation within the application ecosystem.

Mitigation strategies must address both immediate remediation and long-term architectural improvements to prevent similar vulnerabilities. The primary fix involves implementing proper jti claims in JWT tokens along with server-side token storage mechanisms for revocation tracking and validation. Organizations should implement comprehensive token management policies including automatic token invalidation upon logout, password changes, and account modifications. Additionally, implementing short-lived access tokens combined with secure refresh token mechanisms provides better security posture while maintaining usability. The solution aligns with CWE-613, which addresses insufficient session expiration and improper session handling in authentication systems. From an ATT&CK perspective, this vulnerability maps to T1566 (Phishing) and T1078 (Valid Accounts) as attackers can maintain persistent access using stolen tokens, and to T1528 (Steal Application Access Token) as the lack of token revocation capabilities prevents effective response to token theft incidents.

Responsible

VulnCheck

Reservation

07/09/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!