CVE-2026-62387 in Grav API Plugin
Summary
by MITRE • 07/17/2026
The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 shipped Access-Control-Allow-Origin: * as its default CORS configuration on all responses, including authenticated endpoints and preflight (OPTIONS) responses. Because the plugin accepts credentials via the Authorization and X-API-Token headers (set programmatically by JavaScript rather than via cookies), an attacker who obtains a valid access token (e.g., via log leakage, Referer headers, browser history, or network capture) can issue fully authenticated cross-origin requests from any malicious website to read sensitive data and perform write operations as the token's user. Fixed in 1.0.0-rc.16.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability in the Grav API plugin represents a critical cross-origin resource sharing misconfiguration that undermines fundamental web security principles. This issue affects versions prior to 1.0.0-rc.16 of the getgrav/grav-plugin-api plugin, where the default CORS policy was configured with Access-Control-Allow-Origin: * across all endpoints including those requiring authentication. The flaw demonstrates a classic violation of the principle of least privilege and proper access control implementation, as it allows any domain to make authenticated requests to the API without proper origin validation.
The technical implementation of this vulnerability stems from the plugin's handling of authentication credentials through non-cookie mechanisms such as Authorization and X-API-Token headers. This approach, while potentially more secure than cookie-based authentication in some contexts, creates a dangerous attack surface when combined with permissive CORS policies. The inclusion of preflight OPTIONS responses in this broad allowance compounds the risk, as it enables attackers to probe and test API endpoints from malicious origins without being blocked by browser security mechanisms.
The operational impact of this vulnerability is severe and multifaceted, as it provides attackers with a pathway to perform authenticated operations across origin boundaries. An attacker who manages to obtain a valid access token through various means such as log leakage, referer header exposure, browser history examination, or network packet capture can construct malicious web pages that automatically submit requests to the Grav API from compromised user browsers. This enables unauthorized data reading and writing operations with the privileges of the token's legitimate user, potentially leading to complete account compromise and data exfiltration.
The vulnerability aligns with CWE-346, which addresses "Origin Validation Error" in web applications, and demonstrates characteristics consistent with ATT&CK technique T1566.002 for credential access through network sniffing and T1566.001 for credential access via phishing. The attack vector exploits the trust relationship between browsers and web applications by leveraging legitimate authentication tokens to bypass same-origin policies that normally protect against cross-site request forgery attacks. Organizations using affected versions of the plugin face significant risk of unauthorized data access and modification, particularly in environments where API tokens might be exposed through insecure logging practices or network monitoring.
The fix implemented in version 1.0.0-rc.16 addresses this by properly configuring CORS policies to restrict access based on legitimate origins rather than allowing unrestricted cross-origin requests. This remediation aligns with security best practices outlined in OWASP API Security Top 10 and the principle of defense in depth, ensuring that authentication tokens cannot be leveraged from untrusted domains while maintaining proper functionality for legitimate users. The corrected implementation should validate the origin header against a whitelist of trusted domains and properly handle preflight requests without compromising the security of authenticated endpoints.