CVE-2026-1435
Published: 18 February 2026
Summary
CVE-2026-1435 is a critical-severity Insufficient Session Expiration (CWE-613) vulnerability in Graylog Graylog. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-10 (Concurrent Session Control) and AC-12 (Session Termination).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-12 requires systems to automatically terminate user sessions after organization-defined conditions or trigger events such as new logins, directly preventing reuse of previously issued session IDs.
AC-10 limits the number of concurrent sessions per user, typically to one, ensuring old sessions cannot remain valid alongside new ones created on re-authentication.
SI-2 mandates timely flaw remediation, including patching the specific Graylog session invalidation vulnerability to eliminate the root cause of persistent old session IDs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing web/API session management directly enables exploitation of public-facing apps (T1190) and reuse of stolen web session tokens (T1550.004) for unauthorized access.
NVD Description
Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId' each time a user authenticates, but does not invalidate previously issued session identifiers,…
more
which remain valid even after multiple consecutive logins by the same user. As a result, a stolen or leaked 'sessionId' can continue to be used to authenticate valid requests. Exploiting this vulnerability would allow an attacker with access to the web service/API network (port 9000 or HTTP/S endpoint of the server) to reuse an old session token to gain unauthorized access to the application, interact with the API/web, and compromise the integrity of the affected account.
Deeper analysisAI
CVE-2026-1435 is an insufficient session invalidation vulnerability (CWE-613) affecting the Graylog Web Interface in version 2.2.3. The issue stems from incorrect management of session invalidation after new logins: the application generates a new sessionId each time a user authenticates but does not invalidate previously issued session identifiers. As a result, old session IDs remain valid even after multiple consecutive logins by the same user, allowing a stolen or leaked sessionId to continue authenticating valid requests.
An attacker with network access to the Graylog web service or API endpoint (port 9000 or HTTP/S) can exploit this by reusing a stolen or leaked session token to gain unauthorized access to the application. This enables interaction with the API and web interface, potentially compromising the integrity of the affected account. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to network accessibility, low attack complexity, and no required privileges, with high impacts across confidentiality, integrity, and availability.
Mitigation details are available in the INCIBE-CERT advisory on multiple vulnerabilities in Graylog at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-graylog.
Details
- CWE(s)