CVE-2026-61452 in GravИнформация

Сводка

по MITRE • 15.07.2026

The Grav API plugin (getgrav/grav-plugin-api) before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti (JWT ID) claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime (default 1 hour) regardless of logout, password change, new token issuance, or account disablement. An attacker who has stolen an access token retains full API access until the token naturally expires.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Ответственный

VulnCheck

Резервировать

09.07.2026

Раскрытие

15.07.2026

Модерация

принято

Вход

VDB-379248

EPSS

0.00000

KEV

Нет

Деятельности

Низкий

Источники

Do you want to use VulDB in your project?

Use the official API to access entries easily!