The Grav API plugin (getgrav/grav-plugin-api) before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti (JWT ID) claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime (default 1 hour) regardless of logout, password change, new token issuance, or account disablement. An attacker who has stolen an access token retains full API access until the token naturally expires.
Metrics
Affected Vendors & Products
References
History
Wed, 15 Jul 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Getgrav
Getgrav grav |
|
| Vendors & Products |
Getgrav
Getgrav grav |
Wed, 15 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 12:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Grav API plugin (getgrav/grav-plugin-api) before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti (JWT ID) claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime (default 1 hour) regardless of logout, password change, new token issuance, or account disablement. An attacker who has stolen an access token retains full API access until the token naturally expires. | |
| Title | Grav before 2.0.4 Improper Session Invalidation JWT Access Tokens | |
| Weaknesses | CWE-613 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-15T13:52:28.876Z
Reserved: 2026-07-09T14:06:14.017Z
Link: CVE-2026-61452
Updated: 2026-07-15T13:52:25.931Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T20:00:04Z