Description
Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId' each time a user authenticates, but does not invalidate previously issued session identifiers, which remain valid even after multiple consecutive logins by the same user. As a result, a stolen or leaked 'sessionId' can continue to be used to authenticate valid requests. Exploiting this vulnerability would allow an attacker with access to the web service/API network (port 9000 or HTTP/S endpoint of the server) to reuse an old session token to gain unauthorized access to the application, interact with the API/web, and compromise the integrity of the affected account.
Published: 2026-02-18
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized session hijacking via reuse of old session tokens
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Graylog Web Interface 2.2.3 allows a session identifier that was issued during a prior login to remain valid even after a new login occurs. Each authentication generates a new sessionId but does not properly invalidate previous ones. Consequently, a compromised or leaked sessionId can be replayed, enabling an attacker to authenticate as that user, interact with the API or web interface, and alter the contents under that account, thereby compromising integrity of user data and system operations.

Affected Systems

Graylog Web Interface, specifically version 2.2.3. All earlier Graylog releases are considered obsolete and unpatched for this issue.

Risk and Exploitability

The CVSS severity score is 9.3, indicating high impact. The EPSS score is below 1%, suggesting a low but nonzero exploitation probability. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need remote access to the Graylog web service or API, typically via port 9000 or an HTTPS endpoint, to capture a sessionId and then replay it. The primary attack vector is remote through HTTP(S) requests, with the prerequisite of obtaining or intercepting a valid sessionId.

Generated by OpenCVE AI on April 17, 2026 at 18:46 UTC.

Remediation

Vendor Solution

It is recommended to update the software to the latest version, where the vulnerability described has already been mitigated. For the affected version, the vulnerability is not mitigated, as the manufacturer considers all versions prior to the current one to be obsolete.

OpenCVE Recommended Actions

  • Upgrade Graylog Web Interface to the latest available version, where session invalidation has been fixed and older versions are no longer maintained.
  • Configure Graylog to enforce session expiration and to remove all pending session identifiers upon any new login event so that stale tokens cannot be reused.
  • Apply network segmentation or firewall rules to restrict access to the Graylog API and port 9000 to trusted hosts, reducing the surface area for an attacker to capture session identifiers.

Generated by OpenCVE AI on April 17, 2026 at 18:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Graylog graylog
CPEs cpe:2.3:a:graylog:graylog:2.2.3:*:*:*:*:*:*:*
Vendors & Products Graylog graylog
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 18 Feb 2026 13:45:00 +0000

Type Values Removed Values Added
Description Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId' each time a user authenticates, but does not invalidate previously issued session identifiers, which remain valid even after multiple consecutive logins by the same user. As a result, a stolen or leaked 'sessionId' can continue to be used to authenticate valid requests. Exploiting this vulnerability would allow an attacker with access to the web service/API network (port 9000 or HTTP/S endpoint of the server) to reuse an old session token to gain unauthorized access to the application, interact with the API/web, and compromise the integrity of the affected account.
Title Incorrect management of session invalidation vulnerability in Graylog Web Interface
First Time appeared Graylog
Graylog graylog Web Interface
Weaknesses CWE-613
CPEs cpe:2.3:a:graylog:graylog_web_interface:2.2.3:*:*:*:*:*:*:*
Vendors & Products Graylog
Graylog graylog Web Interface
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Graylog Graylog Graylog Web Interface
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-02-18T20:24:40.349Z

Reserved: 2026-01-26T13:20:06.891Z

Link: CVE-2026-1435

cve-icon Vulnrichment

Updated: 2026-02-18T20:24:28.278Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T14:16:05.700

Modified: 2026-02-18T20:22:51.750

Link: CVE-2026-1435

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:00:10Z

Weaknesses