CVE-2025-53106

Name of the Vulnerable Software and Affected Versions: Graylog versions prior to 6.2.4 Graylog versions prior to 6.3.0-rc.2

Description: A flaw in Graylog allows authenticated users to escalate privileges via API token abuse. This issue can be exploited by creating and using API tokens for the local Administrator or any other user for whom the malicious user knows the ID. The attacker needs a user account in Graylog and can then proceed to issue hand-crafted requests to the Graylog REST API, exploiting a weak permission check for token creation.

Recommendations: For Graylog version 6.2.0 and above, restrict regular users from creating API tokens by disabling the "Allow users to create personal access tokens" option in System > Configuration > Users. Update to version 6.2.4 or 6.3.0-rc.2 immediately. After upgrading, review all existing API tokens at System > Users and Teams > Token Management and ensure each token is there for a reason. If using Graylog Enterprise, check the Audit Log for action:create token and match the Actor with the user for whom the token was created. If using Graylog Open, review HTTP access logs to detect malicious token creations by checking API token requests to the "/api/users/{user id}/tokens/{token name}" endpoint.