Stats Digest Feeds
โ† Back to all CVEs

CVE-2026-61452

MEDIUM NVD
CVSS Score 5.3
Severity MEDIUM
Published Jul 15, 2026
Vendor unknown

Description

The Grav API plugin (getgrav/grav-plugin-api) before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti (JWT ID) claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime (default 1 hour) regardless of logout, password change, new token issuance, or account disablement. An attacker who has stolen an access token retains full API access until the token naturally expires.

References