HIGH🇬🇧 English

CVE-2026-1436

CVSS 7.1v4.0pub. 2026-02-18

Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint 'http://<IP>:12900/users/<my_user>' does not implement object-level authorization validations.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Graylog

    APP
    Graylog
    2.2.3
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
IDOR
CWE
Referencje

Powiązane podatności

CVE-2026-1435CRITICAL9.3PL ✓ten sam produkt

Graylog: brak unieważniania sesji po ponownym logowaniu (CWE-613)

CVE-2021-37759CRITICAL9.8ten sam produkt

A Session ID leak in the DEBUG log file in Graylog before 4.1.2 allows attackers to escalate privileges (to th...

CVE-2021-37760CRITICAL9.8ten sam produkt

A Session ID leak in the audit log in Graylog before 4.1.2 allows attackers to escalate privileges (to the acc...

CVE-2025-53106HIGH8.8ten sam produkt

Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to bef...

CVE-2025-46827HIGH8.0ten sam produkt

Graylog is a free and open log management platform. Prior to versions 6.0.14, 6.1.10, and 6.2.0, it is possibl...