Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in Graylog

Posted date 17/02/2026
Identificador
INCIBE-2026-118
Importance
5 - Critical
Affected Resources

Graylog Web Interface version 2.2.3.

Description

INCIBE has coordinated the publication of 7 vulnerabilities: 1 critical, 1 high and 5 medium affecting Graylog Web Interface, SIEM for AI-powered log management, security, and IT operations. The vulnerabilities were discovered by Julen Garrido Estévez (B3xal).

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2026-1435: CVSS v4.0: 9.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | CWE-613
  • CVE-2026-1436: CVSS v4.0: 7.0 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-284
  • From CVE-2026-1437 to CVE-2026-1441: 6.1 | CVSS:4.0/ AV:N/AC:L/AT:N/PR:N/UI:R/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N X | CWE-79
Solution

It is recommended to update the software to the latest version, where the vulnerabilities described have already been mitigated. For the affected version, the vulnerabilities are not mitigated, as the manufacturer considers all versions prior to the current one to be obsolete.

Detail
  • CVE-2026-1435: not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId' each time a user authenticates, but does not invalidate previously issued session identifiers, which remain valid even after multiple consecutive logins by the same user. As a result, a stolen or leaked 'sessionId' can continue to be used to authenticate valid requests. Exploiting this vulnerability would allow an attacker with access to the web service/API network (port 9000 or HTTP/S endpoint of the server) to reuse an old session token to gain unauthorized access to the application, interact with the API/web, and compromise the integrity of the affected account.
  • CVE-2026-1436: improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint 'http://<IP>:12900/users/<my_user>' does not implement object-level authorization validations.
  • Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack of proper sanitization and escaping in HTML output. Several endpoints include segments of the URL directly in the response without applying output encoding, allowing an attacker to inject and execute arbitrary JavaScript code when a user visits a specially crafted URL. Exploitation of this vulnerability may allow script execution in the victim's browser and limited manipulation of the affected user's session context. The affected endpoints are listed below:
    • CVE-2026-1437: '/system/authentication/users/edit/';
    • CVE-2026-1438: '/system/nodes/';
    • CVE-2026-1439: '/alerts/';
    • CVE-2026-1440: '/system/pipelines/';  
    • CVE-2026-1441: '/system/index_sets/'.
CVE
Explotación
No
CVE
Identificador CVE Severidad Explotación Fabricante
CVE-2026-1435 Crítica No Graylog
CVE-2026-1436 Alta No Graylog
CVE-2026-1437 Media No Graylog
CVE-2026-1438 Media No Graylog
CVE-2026-1439 Media No Graylog
CVE-2026-1440 Media No Graylog
CVE-2026-1441 Media No Graylog
References list
Página web de Graylog
Etiquetas