CVE-2026-1435
Received Received - Intake
Session Fixation in Graylog 2.2.3 Allows Unauthorized Access

Publication date: 2026-02-18

Last updated on: 2026-02-18

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId' each time a user authenticates, but does not invalidate previously issued session identifiers, which remain valid even after multiple consecutive logins by the same user. As a result, a stolen or leaked 'sessionId' can continue to be used to authenticate valid requests. Exploiting this vulnerability would allow an attacker with access to the web service/API network (port 9000 or HTTP/S endpoint of the server) to reuse an old session token to gain unauthorized access to the application, interact with the API/web, and compromise the integrity of the affected account.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1435
EUVD
EUVD-2026-7920
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
graylog graylog 2.2.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1435 is a critical vulnerability in Graylog Web Interface version 2.2.3 related to improper session invalidation. When a user logs in, the application generates a new sessionId but does not invalidate previously issued session identifiers. This means that old session tokens remain valid even after multiple consecutive logins by the same user.

An attacker who has access to the network of the Graylog web service or API (such as port 9000 or the HTTP/S endpoint) can exploit this flaw by reusing a stolen or leaked old sessionId. This allows the attacker to gain unauthorized access to the application, interact with the API or web interface, and compromise the integrity of the affected user account.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to your Graylog Web Interface account. An attacker who obtains an old session token can reuse it to authenticate without needing valid credentials.

Such unauthorized access can allow the attacker to interact with the API or web interface, potentially compromising the integrity and confidentiality of your data and operations within the affected account.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves improper session invalidation in Graylog Web Interface version 2.2.3, where old session tokens remain valid after new logins. Detection would involve monitoring for reuse of old session identifiers or unusual session activity on the Graylog web service or API (port 9000 or HTTP/S endpoint).

Specific commands or detection tools are not provided in the available information.

Mitigation Strategies

The recommended immediate mitigation is to update Graylog to the latest version, as versions prior to the current one, including 2.2.3, do not address this session invalidation issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1435. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart