cvedb.io
CVE-2026-1435
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2026-02-18T14:16:05.700 · Last modified 2026-06-17T10:15:46.990

Summary

Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId' each time a user authenticates, but does not invalidate previously issued session identifiers, which remain valid even after multiple consecutive logins by the same user. As a result, a stolen or leaked 'sessionId' can continue to be used to authenticate valid requests. Exploiting this vulnerability would allow an attacker with access to the web service/API network (port 9000 or HTTP/S endpoint of the server) to reuse an old session token to gain unauthorized access to the application, interact with the API/web, and compromise the integrity of the affected account.

Affected products

graylog — graylog

Does this affect you?

Add your gear to cvedb and we'll alert you only when graylog ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.