Unrated severityNVD Advisory· Published Feb 18, 2026· Updated Feb 18, 2026

Improper Access Control (IDOR) vulnerability in Graylog Web Interface

CVE-2026-1436

Description

Improper Access Control (IDOR) in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive third-party information to be accessed, such as names, email addresses, internal identifiers, and last activity. The endpoint 'http://<IP>:12900/users/<my_user>' does not implement object-level authorization validations.

Affected products

Graylog/Graylogllm-create
Range: 2.2.3
Graylog/Graylog Web Interfacev5
Range: 2.2.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-graylogmitrepatch

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000