CVE-2026-1435 — Graylog Web Interface
| Field | Value |
|---|---|
| CVE ID | CVE-2026-1435 |
| Affected Product | Graylog Web Interface (confirmed in version 2.2.3; other legacy builds should be reviewed) |
| Vulnerability Type | Session Fixation Improper Session Invalidation Insufficient Session Expiration |
| CVSS Score | 9.3 (Critical) |
| Attack Vector | Network (HTTP/HTTPS) |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Not Required |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | Low to None |
| Severity | Critical |
| Exploitability | Remote exploitation possible over HTTP/HTTPS. No authentication required to attempt session reuse. Public weaponized exploit not widely published at the time of writing. Exploitation is technically straightforward for anyone able to obtain or control a session identifier. |
Overview
In the affected Graylog Web Interface version, previously issued session identifiers are not properly invalidated when a user logs in again or establishes a new authenticated session. The expected security behavior is that when a user authenticates, any prior session tokens associated with that account are revoked or replaced. In this case, older session tokens remain valid and usable.
Because of this, if an attacker obtains a valid session ID at any point, that token may continue to grant authenticated access even after the legitimate user logs in again and receives a new session ID. The old session does not get terminated server-side.
This condition enables account takeover without needing credentials once a session token has been captured or fixed.
Technical Root Cause
The issue stems from improper session lifecycle management:
- Server does not invalidate previously issued session tokens upon new login.
- Session rotation does not revoke prior server-side sessions.
- Old tokens remain mapped to active user contexts.
- Session store does not enforce single-session or token revocation logic.
This is categorized under:
- CWE-384: Session Fixation
- CWE-613: Insufficient Session Expiration
Attack Scenario
A typical exploitation flow may occur as follows:
- A valid session ID is obtained by the attacker.
This could occur through:- Access to logs where session IDs are recorded.
- Browser compromise or XSS (separate vulnerability).
- Network sniffing in improperly configured environments.
- Social engineering.
- Reverse proxy misconfiguration.
- Debug logging exposure.
- The legitimate user logs in again and receives a new session ID.
- The attacker continues using the previously obtained session ID.
- Because the server does not invalidate the old session, access is granted.
No password is required at this stage. No MFA challenge is triggered because the session is already considered authenticated.
Impact
If exploited successfully:
- Full account takeover.
- Administrative access if an admin session is reused.
- Viewing and exporting sensitive logs.
- Modifying dashboards and alert rules.
- Creating new users.
- Disabling alerts or tampering with logging pipelines.
- Potential lateral movement through exposed log data.
- Ability to cover tracks by deleting audit logs.
In environments where Graylog monitors security infrastructure, the impact is particularly severe.
Proof of Concept (Educational)
The following example demonstrates how exploitation may appear in controlled testing environments.
Step 1 – Capture Session Cookie
A typical Graylog session cookie:
Cookie: sessionId=abc123xyz456
Step 2 – Reuse Old Session
After the victim logs in again, attempt API access using the old session:
GET /api/system HTTP/1.1
Host: graylog.example.com
Cookie: sessionId=abc123xyz456
If vulnerable, the response returns authenticated data instead of redirecting to login.
Expected Secure Behavior
HTTP 401 Unauthorized or redirect to login.
Vulnerable Behavior
HTTP 200 OK with authenticated JSON response.
Indicators of Exploitation
- Same session ID used from multiple IP addresses.
- Same session ID observed across different user agents.
- Old session tokens remain valid after new login event.
- Login event followed by continued use of older session ID.
- Long-lived session tokens without rotation.
- Admin actions executed from unexpected source IPs.
Detection Strategy
Monitoring should focus on session reuse anomalies.
Splunk Detection Query
index=graylog sourcetype=graylog_access
| eval session_id=coalesce(cookie_sessionId, http_cookie_sessionId)
| stats dc(clientip) as unique_ips,
dc(useragent) as unique_agents,
earliest(_time) as first_seen,
latest(_time) as last_seen
by session_id, username
| where unique_ips > 1 OR unique_agents > 1
| table session_id username unique_ips unique_agents first_seen last_seen
Splunk Detection – Session Reuse After Login
index=graylog
| transaction username maxspan=30m
| search (action="login_success") AND session_id!=new_session_id
Elastic / Kibana Query
GET graylog-logs-*/_search
{
"size": 0,
"aggs": {
"sessions": {
"terms": { "field": "http.cookie.sessionId.keyword", "size": 10000 },
"aggs": {
"unique_ips": { "cardinality": { "field": "client.ip" } },
"unique_agents": { "cardinality": { "field": "user_agent.keyword" } }
}
}
}
}
Flag results where:
- unique_ips > 1
- unique_agents > 1
Log Sources to Monitor
- Graylog web access logs
- Graylog audit logs
- Reverse proxy logs (NGINX/Apache)
- Load balancer logs
- WAF logs
- Authentication backend logs (LDAP/AD if integrated)
Mitigation
Immediate mitigation steps:
- Restrict Graylog UI access to internal networks or VPN.
- Enforce MFA for privileged accounts.
- Reduce session timeout duration.
- Configure reverse proxy to block suspicious IP reuse.
- Clear all active sessions if compromise suspected.
- Restart Graylog service to invalidate in-memory sessions (temporary mitigation).
- Ensure cookies use:
- Secure flag
- HttpOnly flag
- SameSite=strict
Remediation
The permanent fix requires upgrading to the patched Graylog release once provided by the vendor.
Official Graylog Security and Upgrade Page:
Official Releases Page:
Upgrade should be performed according to vendor guidance. After upgrading:
- Invalidate all existing sessions.
- Force password reset for privileged users.
- Verify session rotation behavior.
- Test session revocation logic.
Post-Remediation Validation
After upgrade:
- Log in.
- Capture session ID.
- Log out.
- Attempt reuse of captured session ID.
If properly fixed, the reused session must return HTTP 401 Unauthorized.
Risk Assessment
This vulnerability is critical because:
- No credentials required once session obtained.
- Exploitation is silent.
- Detection is difficult without session-level monitoring.
- Administrative accounts are high-value targets.
- Attack leaves minimal forensic traces if logs are manipulated.
Organizations using Graylog in security-sensitive environments should treat this as a priority remediation item.
