CVE-2026-61452 in Grav정보

요약

\~에 의해 MITRE • 2026. 07. 15.

The Grav API plugin (getgrav/grav-plugin-api) before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti (JWT ID) claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime (default 1 hour) regardless of logout, password change, new token issuance, or account disablement. An attacker who has stolen an access token retains full API access until the token naturally expires.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

책임이 있는

VulnCheck

예약하다

2026. 07. 09.

모더레이션

수락

항목

VDB-379248

EPSS

0.00000

출처

Do you know our Splunk app?

Download it now for free!