CVE-2026-1436 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other use…

High CVSS: 7.1

CVE-2026-1436

Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint 'http://<IP>:12900/users/<my_user>' does not implement object-level authorization validations.

Vendor

Product

CWE

Yayın Tarihi

2026-02-18 14:16:05

Güncelleme

2026-02-18 20:23:53

Source Identifier

cve-coordination@incibe.es

KEV Date Added

-

Kategoriler

CWE-639 Graylog HIGH Graylog 2026

Referanslar

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-graylog

Benzer Kayıtlar

Medium

CVE-2026-1438

Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack…

Medium

CVE-2026-1439

Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack…

Medium

CVE-2026-1440

Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack…

Medium

CVE-2026-1441

Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack…

Critical

CVE-2026-1435

Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of s…

Medium

CVE-2026-1437

Reflected Cross-Site Scripting (XSS) vulnerability in the Graylog Web Interface console, version 2.2.3, caused by a lack…