CVE-2026-1436 PUBLISHED

Improper Access Control (IDOR) vulnerability in Graylog Web Interface

Assigner: INCIBE
Reserved: 26.01.2026 Published: 18.02.2026 Updated: 18.02.2026

Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint 'http://<IP>:12900/users/<my_user>' does not implement object-level authorization validations.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 7.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Graylog
Product	Graylog Web Interface
Versions	Default: unaffected Version 2.2.3 is affected

Solutions

It is recommended to update the software to the latest version, where the vulnerability described has already been mitigated. For the affected version, the vulnerability is not mitigated, as the manufacturer considers all versions prior to the current one to be obsolete.

Credits

Julen Garrido Estévez (B3xal) finder

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-graylog

Problem Types

CWE-639 Authorization Bypass Through User-Controlled Key CWE