VYPR
Unrated severityNVD Advisory· Published Feb 18, 2026· Updated Feb 18, 2026

Improper Access Control (IDOR) vulnerability in Graylog Web Interface

CVE-2026-1436

Description

Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint 'http://:12900/users/<my_user>' does not implement object-level authorization validations.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.