PT-2026-20392 · Graylog · Graylog
Published
2026-02-18
·
Updated
2026-02-18
·
CVE-2026-1436
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Graylog version 2.2.3
Description
An improper access control issue exists in the Graylog API. An authenticated user can access other user's profiles without proper authorization checks by modifying the user ID in the URL. This allows listing valid users and accessing sensitive third-party information, such as names, email addresses, internal identifiers, and last activity. The API endpoint
http://<IP>:12900/users/<my user> lacks object-level authorization validations.Recommendations
Apply appropriate object-level authorization validations to the
/users/<my user> API endpoint.Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Graylog