CVE-2026-1435
Received Received - Intake
Session Fixation in Graylog 2.2.3 Allows Unauthorized Access

Publication date: 2026-02-18

Last updated on: 2026-02-18

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId' each time a user authenticates, but does not invalidate previously issued session identifiers, which remain valid even after multiple consecutive logins by the same user. As a result, a stolen or leaked 'sessionId' can continue to be used to authenticate valid requests. Exploiting this vulnerability would allow an attacker with access to the web service/API network (port 9000 or HTTP/S endpoint of the server) to reuse an old session token to gain unauthorized access to the application, interact with the API/web, and compromise the integrity of the affected account.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-18
Generated
2026-05-07
AI Q&A
2026-02-18
EPSS Evaluated
2026-05-05
NVD
CVE-2026-1435
EUVD
EUVD-2026-7920
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
graylog graylog 2.2.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-1435 is a critical vulnerability in Graylog Web Interface version 2.2.3 related to improper session invalidation. When a user logs in, the application generates a new sessionId but does not invalidate previously issued session identifiers. This means that old session tokens remain valid even after multiple consecutive logins by the same user.

An attacker who has access to the network of the Graylog web service or API (such as port 9000 or the HTTP/S endpoint) can exploit this flaw by reusing a stolen or leaked old sessionId. This allows the attacker to gain unauthorized access to the application, interact with the API or web interface, and compromise the integrity of the affected user account.


How can this vulnerability impact me? :

This vulnerability can have serious impacts including unauthorized access to your Graylog Web Interface account. An attacker who obtains an old session token can reuse it to authenticate without needing valid credentials.

Such unauthorized access can allow the attacker to interact with the API or web interface, potentially compromising the integrity and confidentiality of your data and operations within the affected account.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves improper session invalidation in Graylog Web Interface version 2.2.3, where old session tokens remain valid after new logins. Detection would involve monitoring for reuse of old session identifiers or unusual session activity on the Graylog web service or API (port 9000 or HTTP/S endpoint).

Specific commands or detection tools are not provided in the available information.


What immediate steps should I take to mitigate this vulnerability?

The recommended immediate mitigation is to update Graylog to the latest version, as versions prior to the current one, including 2.2.3, do not address this session invalidation issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart