{"id":82123,"date":"2026-07-17T05:48:11","date_gmt":"2026-07-17T02:18:11","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-62386-grav-1-0-0-rc-16-authentication-bypass-via-token-url-parameter\/"},"modified":"2026-07-17T05:48:11","modified_gmt":"2026-07-17T02:18:11","slug":"cve-2026-62386-grav-1-0-0-rc-16-authentication-bypass-via-token-url-parameter","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-62386-grav-1-0-0-rc-16-authentication-bypass-via-token-url-parameter\/","title":{"rendered":"CVE-2026-62386 &#8211; Grav &lt; 1.0.0-rc.16 Authentication Bypass via token URL Parameter"},"content":{"rendered":"<p>CVE ID :CVE-2026-62386<\/p>\n<p>  Published : July 17, 2026, 2:18 a.m. | 1\u00a0hour, 17\u00a0minutes ago<\/p>\n<p>  Description :The Grav API plugin (getgrav\/grav-plugin-api) before 1.0.0-rc.16 accepts JWT access tokens through the ?token= URL query parameter on every API route (JwtAuthenticator::extractBearerToken fallback). Because tokens are embedded in URLs, they are logged verbatim in web server access logs, leaked via the Referer header, stored in browser history, and captured by upstream proxy and CDN logs, exposing valid admin access tokens. A leaked token grants unauthorized API access, including reading configuration and user data, creating admin accounts, modifying system settings, and deleting pages.<\/p>\n<p>  Severity: 8.2 | HIGH<\/p>\n<p>  Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID :CVE-2026-62386 Published : July 17, 2026, 2:18 a.m. | 1\u00a0hour, 17\u00a0minutes ago Description :The Grav API plugin (getgrav\/grav-plugin-api) before 1.0.0-rc.16 accepts JWT access tokens through the ?token= URL query parameter on every API route (JwtAuthenticator::extractBearerToken fallback). Because tokens are embedded in URLs, they are logged verbatim in web server access logs, leaked via &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-82123","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/82123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=82123"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/82123\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=82123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=82123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=82123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}