CVE-2026-1435 — CRITICAL (9.8)

Vulnerability Description

Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId' each time a user authenticates, but does not invalidate previously issued session identifiers, which remain valid even after multiple consecutive logins by the same user. As a result, a stolen or leaked 'sessionId' can continue to be used to authenticate valid requests. Exploiting this vulnerability would allow an attacker with access to the web service/API network (port 9000 or HTTP/S endpoint of the server) to reuse an old session token to gain unauthorized access to the application, interact with the API/web, and compromise the integrity of the affected account.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Graylog	Graylog	2.2.3

Related Weaknesses (CWE)

CWE-613

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-grayThird Party Advisory

FAQ

What is CVE-2026-1435?

CVE-2026-1435 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId...

How severe is CVE-2026-1435?

CVE-2026-1435 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-1435?

Check the references section above for vendor advisories and patch information. Affected products include: Graylog Graylog.