CVE-2026-62386 in Grav
Summary
by MITRE • 07/17/2026
The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 accepts JWT access tokens through the ?token= URL query parameter on every API route (JwtAuthenticator::extractBearerToken fallback). Because tokens are embedded in URLs, they are logged verbatim in web server access logs, leaked via the Referer header, stored in browser history, and captured by upstream proxy and CDN logs, exposing valid admin access tokens. A leaked token grants unauthorized API access, including reading configuration and user data, creating admin accounts, modifying system settings, and deleting pages.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability in the Grav API plugin affects versions prior to 1.0.0-rc.16 and stems from improper handling of JWT access tokens through URL query parameters. This flaw represents a critical security issue that violates fundamental principles of secure token management and exposes administrative credentials through multiple attack vectors. The implementation allows JWT tokens to be passed via the ?token= parameter in URLs, which creates a cascade of security risks due to how web infrastructure handles URL data. According to CWE-598, this vulnerability directly relates to the use of URL parameters for sensitive information transmission, while also aligning with CWE-312 for exposure of sensitive data through improper logging mechanisms.
The technical implementation flaw occurs within the JwtAuthenticator::extractBearerToken method which falls back to extracting tokens from URL query parameters when bearer tokens are not properly formatted in HTTP headers. This fallback mechanism creates an unintentional attack surface where any valid JWT token becomes exposed through standard web server logging practices. The vulnerability is exacerbated by the fact that URL parameters are inherently visible and persistent within various network infrastructure components, making this a particularly dangerous flaw from both a confidentiality and integrity perspective. The exposure of tokens through web server access logs violates security best practices established in NIST SP 800-53 and aligns with ATT&CK technique T1071.004 for application layer protocol usage.
The operational impact of this vulnerability is severe and far-reaching, as leaked tokens grant attackers full administrative privileges within the Grav system. An attacker who obtains a valid token can perform any action available to administrators including reading sensitive configuration files, accessing user data, creating new admin accounts, modifying system settings, and deleting content. This level of access represents a complete compromise of the affected system's integrity and confidentiality. The exposure affects not just the immediate application but also all downstream systems that may log or process these URLs, including reverse proxies, content delivery networks, and monitoring infrastructure. The attack surface extends beyond the immediate web server to include any point in the network where URL data might be captured or transmitted.
Mitigation strategies must address both the immediate implementation flaw and establish proper token handling practices throughout the system architecture. The primary fix involves removing the fallback mechanism that accepts tokens from URL query parameters and ensuring all authentication tokens are properly handled through HTTP headers only. Organizations should implement comprehensive logging policies that exclude URL parameters from being recorded in web server logs, and deploy proper input validation to prevent token leakage through referer headers. Network security controls including web application firewalls should be configured to monitor for and block URL-based token usage patterns. Additionally, system administrators must rotate all compromised tokens immediately and implement automated monitoring for suspicious access patterns that may indicate token compromise. The remediation process should also include reviewing all other plugins and components for similar vulnerabilities following ATT&CK technique T1583.001 for credential access through software supply chain compromises.