CVE-2026-1435: Not

Patch now - CVE-2026-1435 is a critical session fixation vulnerability in Graylog 2.2.3 that lets attackers reuse stolen login tokens to impersonate any user, bypassing passwords and MFA. Upgrade to version 2.2.4 immediately to block this attack.

Overview

A critical security flaw has been identified in the Graylog web interface. This vulnerability stems from a failure to properly terminate user sessions, allowing old login credentials to remain active indefinitely. This flaw could enable unauthorized access to sensitive log management data and system controls.

Vulnerability Description

In simple terms, when a user logs into the affected Graylog system, the application creates a new session token. However, it does not cancel the user’s previous session tokens. These old tokens, which could have been stolen or leaked at any point, remain fully valid. An attacker who obtains one of these tokens can use it to impersonate the legitimate user, gaining access without needing a password or multi-factor authentication.

Affected Systems

• Software: Graylog Web Interface
• Version: 2.2.3
• Exposure: The web interface and API, typically accessible on port 9000 or via the server’s HTTP/HTTPS endpoint.

Potential Impact

The impact of this vulnerability is severe (CVSS Score: 9.8 - CRITICAL). Successful exploitation could lead to:

• Unauthorized Access: Attackers can gain full access to a compromised user’s account within Graylog.
• Data Breach & Tampering: Sensitive log data could be viewed, exported, altered, or deleted, compromising forensic integrity.
• System Compromise: Attackers could manipulate Graylog configurations, create new user accounts, or disrupt monitoring and alerting functions.

Remediation and Mitigation

Immediate action is required to protect affected systems.

1. Apply the Official Patch: The primary fix is to upgrade Graylog to a patched version. Consult the official Graylog security advisories for version 2.2.4 or later, which resolves this issue. Always test upgrades in a non-production environment first.

2. Immediate Mitigations (If Patching is Delayed):

   • Enforce Network Controls: Restrict access to the Graylog web interface (port 9000/TCP) using firewall rules. Allow connections only from trusted, necessary administrative networks or IP ranges.
   • Monitor for Suspicious Activity: Closely review Graylog audit logs and authentication logs for concurrent logins from multiple locations or unusual activity from known user accounts.
   • Proactive Session Invalidation: As an administrative workaround, you can manually force all users to log out by restarting the Graylog web service. This will invalidate all current sessions but is only a temporary measure.

All administrators of Graylog 2.2.3 should prioritize upgrading to a secured version to eliminate this risk.