CVE-2026-61451

9.6 CRITICAL
Published: July 15, 2026 Modified: July 15, 2026
View on NVD

Description

The Grav API plugin (grav-plugin-api) before 1.0.4 does not validate the origin of the client-supplied admin_base_url field in the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl() function only checks that the URL scheme is http/https and never verifies the host against the server's own origin, so an attacker can supply an arbitrary host. As a result, an unauthenticated attacker can cause the password reset email sent to a victim to contain a reset link pointing at an attacker-controlled server; when the victim follows the link, the valid reset token is disclosed to the attacker, enabling full account takeover. The vulnerable base URL can also be influenced via the Referer or Origin headers.

AI Explanation

**1. Summary** This is a critical input validation vulnerability in the Grav API plugin that allows an unauthenticated attacker to manipulate the password reset process. Because the plugin fails to verify the hostname in the base URL, an attacker can trick the system into sending password reset emails with links pointing to a malicious server. If a victim clicks this link, the attacker steals the valid reset token, allowing them to reset the victim's password and take over the account. **2. Who is affected** * **Product:** Grav CMS installations using the `grav-plugin-api` (Grav API Plugin). * **Affected Versions:** All versions prior to **1.0.4**. **3. Attacker Impact** An unauthenticated attacker can gain full access to any user account, including administrator accounts, by forcing a password reset and intercepting the reset token. This results in a complete account takeover (ATO) and potential compromise of the entire CMS. **4. Recommended Remediation** * **Update Immediately:** Upgrade the Grav API plugin to version **1.0.4** or later. * **Mitigation:** If an update cannot be applied immediately, restrict access to the `/api/v1/auth/forgot-password` endpoint to trusted IP addresses or disable the API plugin temporarily. * **Post-Patch Actions:** Force a password reset for all users if you suspect this vulnerability was exploited prior to patching.

Generated: 2026-07-15 14:19

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.6 / 10.0
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)