N0Tra4E

**Name of the Vulnerable Software and Affected Versions** Grav API Plugin versions prior to 1.0.0-beta.15 **Description** An insecure direct object reference and logic flaw in the `update()` function of the `UsersController` allows any authenticated user with basic `api.access` permissions to modify their own permission configuration. By sending a `PATCH` request to the user update endpoint, an attacker can overwrite the `access` variable to grant themselves Super Administrator privileges (`admin.super` and `api.super`). This vertical privilege escalation can lead to full system compromise and potential remote code execution (RCE) by allowing the attacker to modify configurations or upload malicious plugins. **Recommendations** Update Grav API Plugin to version 1.0.0-beta.15.