CVE-2025-53106
📋 TL;DR
Graylog users can create API tokens for any user, including administrators, by exploiting weak permission checks in the REST API. This allows privilege escalation from any authenticated user account to administrator privileges. Affects Graylog versions 6.2.0-6.2.3 and 6.3.0-alpha.1 through 6.3.0-rc.1.
💻 Affected Systems
- Graylog
📦 What is this software?
Graylog by Graylog
Graylog by Graylog
Graylog by Graylog
Graylog by Graylog
Graylog by Graylog
Graylog by Graylog
Graylog by Graylog
Graylog by Graylog
Graylog by Graylog
Graylog by Graylog
Graylog by Graylog
Graylog by Graylog
⚠️ Risk & Real-World Impact
Worst Case
Any authenticated user becomes full administrator, gaining complete control over the Graylog instance including access to all logs, configuration changes, and user management.
Likely Case
Malicious insider or compromised account escalates privileges to administrator level, potentially accessing sensitive log data or disrupting logging operations.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized API token creation which can be detected and revoked.
🎯 Exploit Status
Exploitation requires authenticated user access and knowledge of target user IDs; API requests are straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.4 or 6.3.0-rc.2
Vendor Advisory: https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-3m86-c9x3-vwm9
Restart Required: Yes
Instructions:
1. Backup Graylog configuration and data. 2. Stop Graylog services. 3. Upgrade to Graylog 6.2.4 or 6.3.0-rc.2. 4. Restart Graylog services. 5. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Disable Personal Access Tokens
allDisable the ability for users to create personal access tokens via Graylog web interface
🧯 If You Can't Patch
- Disable personal access token creation in System > Configuration > Users > 'Allow users to create personal access tokens'
- Implement strict access controls, monitor API token creation logs, and regularly audit existing tokens
🔍 How to Verify
Check if Vulnerable:
Check Graylog version via web interface Admin > System > Nodes or via API GET /api/systemCheck Version:
curl -u admin:password -X GET http://graylog-server:9000/api/system | grep versionVerify Fix Applied:
Confirm version is 6.2.4 or higher, or 6.3.0-rc.2 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual API token creation events
- Token creation for users other than the requesting user
- Multiple token creation attempts
Network Indicators:
- POST requests to /api/users/[user-id]/tokens from non-admin users
SIEM Query:
source="graylog" AND ("created token" OR "personal access token") AND user!="admin"