CVE-2026-62233 in Grav
Summary
by MITRE • 07/17/2026
grav-plugin-api before 1.0.6 fails to validate super-admin status in createApiKey, generate2fa, and disable2fa endpoints, allowing non-super api.users.write managers to escalate to super-admin. Attackers can mint API keys bound to super-admin accounts or strip 2FA from super-admin users to achieve full instance takeover.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability exists within the grav-plugin-api component affecting versions prior to 1.0.6, where critical access control mechanisms fail to properly validate super-admin privileges during three key administrative operations. The flaw specifically impacts the createApiKey, generate2fa, and disable2fa endpoints which are designed to operate exclusively with elevated super-admin permissions. This represents a severe authorization bypass vulnerability that directly violates the principle of least privilege and allows for privilege escalation attacks.
The technical implementation fails to perform proper authentication checks before executing sensitive administrative functions, enabling attackers with api.users.write permissions to manipulate system-level configurations. When an attacker successfully exploits this vulnerability, they can create API keys that are bound to super-admin accounts without proper authorization, effectively bypassing the normal access control mechanisms that should prevent such actions. This flaw also extends to two-factor authentication management where unauthorized users can disable 2fa protection for super-admin accounts, removing critical security layers from high-privilege positions.
The operational impact of this vulnerability is catastrophic as it provides attackers with complete administrative control over affected systems. Once an attacker has escalated privileges through this vulnerability, they gain unrestricted access to all system resources, user data, and configuration settings that are typically protected from standard user accounts. The ability to mint API keys bound to super-admin accounts creates persistent backdoors that can be used for ongoing unauthorized access, while removing 2fa protection eliminates the primary defense against credential compromise attacks.
This vulnerability aligns with CWE-285 which addresses improper authorization in software systems and corresponds to attack patterns described in the MITRE ATT&CK framework under privilege escalation techniques. The specific exploitation path follows T1078 which covers valid accounts and T1566 which encompasses social engineering tactics that can be used to obtain initial access. Organizations should immediately update to grav-plugin-api version 1.0.6 or later where proper super-admin status validation has been implemented. Additional mitigations include implementing network segmentation, monitoring for unusual API key creation patterns, and enforcing strict access controls for administrative functions through proper role-based access control mechanisms. The vulnerability demonstrates the critical importance of validating elevated privileges at all points within administrative interfaces to prevent unauthorized escalation attacks that can lead to complete system compromise.