CVE-2026-42843: Grav API Privilege Escalation to Super Admin

May 5, 2026

An insecure direct object reference and logic flaw in the Grav API plugin (UsersController::update) allows any authenticated user with basic API access (api.access) to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator (admin.super and api.super), leading to full system compromise and potential RCE.

References

github.com/advisories/GHSA-r945-h4vm-h736
github.com/getgrav/grav
github.com/getgrav/grav-plugin-api/commit/26f529c7d438c73343e82311fb095caeaf1a6116
github.com/getgrav/grav/security/advisories/GHSA-r945-h4vm-h736
nvd.nist.gov/vuln/detail/CVE-2026-42843

Code Behaviors & Features

Detect and mitigate CVE-2026-42843 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →