CVE-2026-61452 in Gravinformación

Resumen

por MITRE • 2026-07-15

The Grav API plugin (getgrav/grav-plugin-api) before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti (JWT ID) claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime (default 1 hour) regardless of logout, password change, new token issuance, or account disablement. An attacker who has stolen an access token retains full API access until the token naturally expires.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Responsable

VulnCheck

Reservar

2026-07-09

Divulgación

2026-07-15

Moderación

aceptado

Artículo

VDB-379248

CPE

listo

EPSS

0.00000

KEV

no

Actividades

muy bajo

Fuentes

Do you know our Splunk app?

Download it now for free!