graylog2-server Session Fixation vulnerability through cookie injection
Description
Graylog is a free and open log management platform. Starting in version 4.3.0 and prior to versions 5.1.11 and 5.2.4, reauthenticating with an existing session cookie would re-use that session id, even if for different user credentials. In this case, the pre-existing session could be used to gain elevated access to an existing Graylog login session, provided the malicious user could successfully inject their session cookie into someone else's browser. The complexity of such an attack is high, because it requires presenting a spoofed login screen and injection of a session cookie into an existing browser, potentially through a cross-site scripting attack. No such attack has been discovered. Graylog 5.1.11 and 5.2.4, and any versions of the 6.0 development branch, contain patches to not re-use sessions under any circumstances. Some workarounds are available. Using short session expiration and explicit log outs of unused sessions can help limiting the attack vector. Unpatched this vulnerability exists, but is relatively hard to exploit. A proxy could be leveraged to clear the authentication cookie for the Graylog server URL for the /api/system/sessions endpoint, as that is the only one vulnerable.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.graylog2:graylog2-serverMaven | >= 4.3.0, < 5.1.11 | 5.1.11 |
org.graylog2:graylog2-serverMaven | >= 5.2.0-alpha.1, < 5.2.4 | 5.2.4 |
Affected products
1- Range: >= 4.3.0, < 5.1.11
Patches
2b93a66353f35Merge pull request from GHSA-3xf8-g8gr-g7rh
2 files changed · +5 −9
changelog/unreleased/ghsa-3xf8-g8gr-g7rh.toml+2 −0 added@@ -0,0 +1,2 @@ +type = "security" +message = "Always create new sessions for authentication attempts to fix a potential session fixation vulnerability. [GHSA-3xf8-g8gr-g7rh](https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-3xf8-g8gr-g7rh)"
graylog2-server/src/main/java/org/graylog2/rest/resources/system/SessionsResource.java+3 −9 modified@@ -121,25 +121,19 @@ public Response newSession(@Context ContainerRequestContext requestContext, rejectServiceAccount(createRequest); - final SecurityContext securityContext = requestContext.getSecurityContext(); - if (!(securityContext instanceof ShiroSecurityContext)) { - throw new InternalServerErrorException("Unsupported SecurityContext class, this is a bug!"); - } - final ShiroSecurityContext shiroSecurityContext = (ShiroSecurityContext) securityContext; - final ActorAwareAuthenticationToken authToken; try { authToken = tokenFactory.forRequestBody(createRequest); } catch (IllegalArgumentException e) { throw new BadRequestException(e.getMessage()); } - // we treat the BASIC auth username as the sessionid - final String sessionId = shiroSecurityContext.getUsername(); final String host = RestTools.getRemoteAddrFromRequest(grizzlyRequest, trustedSubnets); try { - Optional<Session> session = sessionCreator.login(sessionId, host, authToken); + // Always create a brand-new session for an authentication attempt by ignoring any previous session ID. + // This avoids a potential session fixation attack. (GHSA-3xf8-g8gr-g7rh) + Optional<Session> session = sessionCreator.login(null, host, authToken); if (session.isPresent()) { final SessionResponse token = sessionResponseFactory.forSession(session.get()); return Response.ok()
1596b749db86Merge pull request from GHSA-3xf8-g8gr-g7rh
2 files changed · +5 −9
changelog/unreleased/ghsa-3xf8-g8gr-g7rh.toml+2 −0 added@@ -0,0 +1,2 @@ +type = "security" +message = "Always create new sessions for authentication attempts to fix a potential session fixation vulnerability. [GHSA-3xf8-g8gr-g7rh](https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-3xf8-g8gr-g7rh)"
graylog2-server/src/main/java/org/graylog2/rest/resources/system/SessionsResource.java+3 −9 modified@@ -121,25 +121,19 @@ public Response newSession(@Context ContainerRequestContext requestContext, rejectServiceAccount(createRequest); - final SecurityContext securityContext = requestContext.getSecurityContext(); - if (!(securityContext instanceof ShiroSecurityContext)) { - throw new InternalServerErrorException("Unsupported SecurityContext class, this is a bug!"); - } - final ShiroSecurityContext shiroSecurityContext = (ShiroSecurityContext) securityContext; - final ActorAwareAuthenticationToken authToken; try { authToken = tokenFactory.forRequestBody(createRequest); } catch (IllegalArgumentException e) { throw new BadRequestException(e.getMessage()); } - // we treat the BASIC auth username as the sessionid - final String sessionId = shiroSecurityContext.getUsername(); final String host = RestTools.getRemoteAddrFromRequest(grizzlyRequest, trustedSubnets); try { - Optional<Session> session = sessionCreator.login(sessionId, host, authToken); + // Always create a brand-new session for an authentication attempt by ignoring any previous session ID. + // This avoids a potential session fixation attack. (GHSA-3xf8-g8gr-g7rh) + Optional<Session> session = sessionCreator.login(null, host, authToken); if (session.isPresent()) { final SessionResponse token = sessionResponseFactory.forSession(session.get()); return Response.ok()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-3xf8-g8gr-g7rhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-24823ghsaADVISORY
- github.com/Graylog2/graylog2-server/commit/1596b749db86368ba476662f23a0f0c5ec2b5097ghsax_refsource_MISCWEB
- github.com/Graylog2/graylog2-server/commit/b93a66353f35a94a4e8f3f75ac4f5cdc5a2d4a6aghsax_refsource_MISCWEB
- github.com/Graylog2/graylog2-server/security/advisories/GHSA-3xf8-g8gr-g7rhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.