CVE-2026-42843

Name of the Vulnerable Software and Affected Versions Grav API Plugin versions prior to 1.0.0-beta.15

Description An insecure direct object reference and logic flaw in the update() function of the UsersController allows any authenticated user with basic api.access permissions to modify their own permission configuration. By sending a PATCH request to the user update endpoint, an attacker can overwrite the access variable to grant themselves Super Administrator privileges (admin.super and api.super). This vertical privilege escalation can lead to full system compromise and potential remote code execution (RCE) by allowing the attacker to modify configurations or upload malicious plugins.

Recommendations Update Grav API Plugin to version 1.0.0-beta.15.