External risk intelligence

Grav API Plugin Password Reset Token Poisoning Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-61451

The vulnerability exists in a web application API endpoint (forgot-password) that is typically exposed to the public internet to facilitate user account recovery. As a standard web-facing feature of a CMS plugin, it is commonly reachable by external, unauthenticated users.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects the Grav API plugin, which could allow an unauthenticated attacker to redirect password reset emails to a malicious server. This could lead to the disclosure of password reset tokens and a full account takeover.

  • Attackers can redirect password resets.
  • Account takeover is possible via compromised links.
  • Confirm relevance and exposure to user accounts.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a crafted request to the forgotten password endpoint. This request manipulates the `admin_base_url` parameter to redirect the password reset email to an attacker-controlled server. When the victim clicks the link in the email, the attacker intercepts the password reset token, allowing them to take over the victim's account.

  • No authentication required.
  • Triggered by a POST request to the forgotten password endpoint.
  • Risk of full account takeover.

Live Threat

Current exploitation, exposure, and threat context

The Grav API plugin could allow an unauthenticated attacker to redirect password reset emails to an attacker-controlled server. When a victim clicks the link in the malicious email, a valid password reset token could be disclosed, leading to account takeover. This could occur when the plugin's password reset functionality is accessed and the attacker can influence the `admin_base_url` field, or when the `Referer` or `Origin` headers are manipulated.

  • User account access.
  • Malicious link redirects reset token.
  • Full account takeover.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Grav API plugin's handling of the `admin_base_url` field in the password reset function allows unauthenticated attackers to poison reset links, leading to account takeover. Responsibility likely falls to the platform or application owner managing the Grav CMS instance, with potential coordination needed from security and vendor management teams if a third-party integration is involved. The initial step is to identify all instances of the affected plugin, assess their exposure and business criticality, and then prioritize remediation efforts based on these findings.

  • Identify Grav CMS instances and plugin usage.
  • Verify plugin reachability and business criticality.
  • Coordinate vendor patch or risk reduction.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Grav API plugin?

The Grav API plugin is a component for the Grav CMS, a file-based web platform. It extends the CMS by providing an interface for programmatic interactions, such as managing authentication and user account recovery processes via web requests.

What is the vulnerability in CVE-2026-61451?

This flaw is a URL redirection issue, classified as CWE-601. It occurs because the plugin fails to verify that the base URL used in password reset emails actually points to the legitimate site. Instead, it accepts client-provided input, allowing an attacker to rewrite the reset link to point to an external server they control.

How can an attacker trigger this vulnerability?

An attacker triggers this by sending a crafted POST request to the forgot-password API endpoint, specifically manipulating the admin_base_url field or the Referer/Origin headers. The bug does not trigger if the application is configured to ignore these external headers, but because the current logic only checks for basic URL schemes like http or https, it accepts malicious hosts by default.

Why is this CVE concerning for my Grav instance?

According to Halo Surface Signal, this vulnerability is highly relevant because it exists in an API endpoint typically exposed to the public internet for user convenience. Since it requires no authentication, anyone on the web can attempt to intercept reset tokens, making any site that enables user account recovery via this plugin a potential target.

What should I do to address CVE-2026-61451?

Start by identifying all instances of the Grav CMS running the API plugin within your environment. Once mapped, verify which instances are publicly reachable and critical to business operations. Prioritize updating the plugin to version 1.0.4 or later, which contains the necessary validation logic to prevent unauthorized host redirection.

References