CVE 9.3 CRITICAL

Incorrect management of session invalidation vulnerability in Graylog Web Interface_CVE-2026-1435

February 18, 2026 invoker category_cve
9.3 / 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId' each time a user authenticates, but does not invalidate previously issued session identifiers, which remain valid even after multiple consecutive logins by the same user. As a result, a stolen or leaked 'sessionId' can continue to be used to authenticate valid requests. Exploiting this vulnerability would allow an attacker with access to the web service/API network (port 9000 or HTTP/S endpoint of the server) to reuse an old session token to gain unauthorized access to the application, interact with the API/web, and compromise the integrity of the affected account.

AI Analysis

Session invalidation vulnerability in Graylog Web Interface due to incorrect management of session identifiers, allowing unauthorized access to the application.

Basic Information

ID CVE-2026-1435
Source INCIBE
Published Feb 18, 2026 at 13:08

Affected Product

Vendor Graylog
Product Graylog Web Interface
Version 2.2.3
Affected Versions Graylog Graylog Web Interface 2.2.3

CWE Classification

CWE-613

AI Assessment

AI Score 9.3 / 10
AI Severity Critical
Vendor Graylog
Product Graylog Web Interface
Version 2.2.3

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.