CVE-2026-1435

Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId' each time a user authenticates, but does not invalidate previously issued session identifiers, which remain valid even after multiple consecutive logins by the same user. As a result, a stolen or leaked 'sessionId' can continue to be used to authenticate valid requests. Exploiting this vulnerability would allow an attacker with access to the web service/API network (port 9000 or HTTP/S endpoint of the server) to reuse an old session token to gain unauthorized access to the application, interact with the API/web, and compromise the integrity of the affected account.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-graylog	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:graylog:graylog:2.2.3:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-18 14:16

Updated : 2026-02-18 20:22

NVD link : CVE-2026-1435

Mitre link : CVE-2026-1435

CVE.ORG link : CVE-2026-1435

JSON object : View

Products Affected

graylog

graylog

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2026-1435", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-18T14:16:05.700", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-graylog", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId' each time a user authenticates, but does not invalidate previously issued session identifiers, which remain valid even after multiple consecutive logins by the same user. As a result, a stolen or leaked 'sessionId' can continue to be used to authenticate valid requests. Exploiting this vulnerability would allow an attacker with access to the web service/API network (port 9000 or HTTP/S endpoint of the server) to reuse an old session token to gain unauthorized access to the application, interact with the API/web, and compromise the integrity of the affected account."}, {"lang": "es", "value": "Vulnerabilidad de sesi\u00f3n no invalidada correctamente en la interfaz web de Graylog, versi\u00f3n 2.2.3, debido a una gesti\u00f3n incorrecta de la invalidaci\u00f3n de la sesi\u00f3n despu\u00e9s de nuevos inicios de sesi\u00f3n. La aplicaci\u00f3n genera un nuevo 'sessionId' cada vez que un usuario se autentica, pero no invalida los identificadores de sesi\u00f3n emitidos previamente, los cuales permanecen v\u00e1lidos incluso despu\u00e9s de m\u00faltiples inicios de sesi\u00f3n consecutivos por el mismo usuario. Como resultado, un 'sessionId' robado o filtrado puede seguir siendo utilizado para autenticar solicitudes v\u00e1lidas. La explotaci\u00f3n de esta vulnerabilidad permitir\u00eda a un atacante con acceso a la red del servicio web/API (puerto 9000 o punto final HTTP/S del servidor) reutilizar un token de sesi\u00f3n antiguo para obtener acceso no autorizado a la aplicaci\u00f3n, interactuar con la API/web, y comprometer la integridad de la cuenta afectada."}], "lastModified": "2026-02-18T20:22:51.750", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:graylog:graylog:2.2.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A16887AF-88FA-4E84-8AD7-F3EBA153E453"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@incibe.es"}