Description
Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint 'http://<IP>:12900/users/<my_user>' does not implement object-level authorization validations.
Published: 2026-02-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Sensitive Information
Action: Patch Immediately
AI Analysis

Impact

An improper access control vulnerability allows an authenticated user to impersonate another by altering the user identifier in the URL, exposing profiles, names, email addresses, internal identifiers, and activity timestamps. The flaw in the Graylog API means no object‑level authorization checks are performed on the /users/<id> endpoint, enabling disclosure of sensitive user information without proper permission verification.

Affected Systems

Graylog’s Web Interface, version 2.2.3 from the producer Graylog, is affected by this vulnerability. No additional product or version data is listed.

Risk and Exploitability

The CVSS score of 7.1 places the flaw in the high severity range, yet the EPSS score of less than 1% indicates a very low likelihood of exploitation at present. The vulnerability is not cataloged in CISA’s KEV, suggesting no widespread exploitation reports. The attack vector requires a valid authenticated user who can construct the URL; thus, internal or compromised accounts pose the primary risk. Keeping the software up to date and restricting API access lowers exposure significantly.

Generated by OpenCVE AI on April 17, 2026 at 18:45 UTC.

Remediation

Vendor Solution

It is recommended to update the software to the latest version, where the vulnerability described has already been mitigated. For the affected version, the vulnerability is not mitigated, as the manufacturer considers all versions prior to the current one to be obsolete.

OpenCVE Recommended Actions

  • Upgrade Graylog to the latest released version where the IDOR flaw is fixed.
  • Remove or retire legacy Graylog 2.2.3 instances from production to eliminate the fault window.
  • Restrict API access to the /users endpoint to trusted network segments or enforce strict role‑based permissions.

Generated by OpenCVE AI on April 17, 2026 at 18:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Graylog graylog
CPEs cpe:2.3:a:graylog:graylog:2.2.3:*:*:*:*:*:*:*
Vendors & Products Graylog graylog
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 18 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 13:45:00 +0000

Type Values Removed Values Added
Description Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint 'http://<IP>:12900/users/<my_user>' does not implement object-level authorization validations.
Title Improper Access Control (IDOR) vulnerability in Graylog Web Interface
First Time appeared Graylog
Graylog graylog Web Interface
Weaknesses CWE-639
CPEs cpe:2.3:a:graylog:graylog_web_interface:2.2.3:*:*:*:*:*:*:*
Vendors & Products Graylog
Graylog graylog Web Interface
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Graylog Graylog Graylog Web Interface
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-02-18T14:19:37.438Z

Reserved: 2026-01-26T13:20:07.838Z

Link: CVE-2026-1436

cve-icon Vulnrichment

Updated: 2026-02-18T14:19:32.654Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T14:16:05.850

Modified: 2026-02-18T20:23:53.440

Link: CVE-2026-1436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:00:10Z

Weaknesses