CVE-2026-58656
Grav API plugin before v1.0.0-rc.16 accepts JWT tokens via the ?token= URL query parameter and responds with Access-Control-Allow-Origin: *,
CVSS
7.5
High
EPSS
0.3%
p19
KEV
—
Exploit Today
6
0-100
Published: Jul 8, 2026 · Last modified: Jul 8, 2026 · CWE-598
0.3%EPSS · 30 days0.3%
2026-07-092026-07-16
Grav API plugin before v1.0.0-rc.16 accepts JWT tokens via the ?token= URL query parameter and responds with Access-Control-Allow-Origin: *, allowing unauthenticated attackers to make fully authenticated cross-origin API requests from any malicious website. Attackers who obtain a leaked JWT token from access logs, proxy logs, browser history, or Referrer headers can create persistent backdoor super-admin accounts and exfiltrate sensitive configuration and user data.
- github.comhttps://github.com/getgrav/grav/security/advisories/GHSA-hqm9-5xxw-4qxp
- www.vulncheck.comhttps://www.vulncheck.com/advisories/grav-api-plugin-cross-origin-admin-account-takeover-via-cors-wildcard-and-jwt-query-parameter
- github.comhttps://github.com/getgrav/grav/security/advisories/GHSA-hqm9-5xxw-4qxp
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-546528.1 HIG13.9%
——4Frigate is an open source network video recorder. In version 0.17.1, the GET /api/logs/{service} endpoint allows any authenticated user including the viewer role to download Frigate and nginx logs, exposing auto-generated admin passwords and camera credentials logged in request query strings and enabling viewer-to-admin privilege escalation. A fixed release has not been identified.9dCVE-2026-623867.5 HIG—
———The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 accepts JWT access tokens through the ?token= URL query parameter on every API route (JwtAuthenticator::extractBearerToken fallback). Because tokens are embedded in URLs, they are logged verbatim in web server access logs, leaked via the Referer header, stored in browser history, and captured by upstream proxy and CDN logs, exposing valid admin access tokens. A leaked token grants unauthorized API access, including reading configuration and user data, creating admin accounts, modifying system settings, and deleting pages.14h