HIGH🇵🇱 Wersja polska

CVE-2026-1436

CVSS 7.1v4.0pub. 2026-02-18

Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint 'http://<IP>:12900/users/<my_user>' does not implement object-level authorization validations.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Graylog

    APP
    Graylog
    2.2.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
IDOR
CWE
References

Related vulnerabilities

CVE-2026-1435CRITICAL9.3PL ✓ten sam produkt

Graylog: brak unieważniania sesji po ponownym logowaniu (CWE-613)

CVE-2021-37759CRITICAL9.8ten sam produkt

A Session ID leak in the DEBUG log file in Graylog before 4.1.2 allows attackers to escalate privileges (to th...

CVE-2021-37760CRITICAL9.8ten sam produkt

A Session ID leak in the audit log in Graylog before 4.1.2 allows attackers to escalate privileges (to the acc...

CVE-2025-53106HIGH8.8ten sam produkt

Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to bef...

CVE-2025-46827HIGH8.0ten sam produkt

Graylog is a free and open log management platform. Prior to versions 6.0.14, 6.1.10, and 6.2.0, it is possibl...