CVE-2025-53106

EPSS 0.5%
Veröffentlicht 02.07.2025 13:28:08
Zuletzt bearbeitet 30.10.2025 15:45:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Graylog vulnerable to privilege escalation through API tokens

Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to before 6.3.0-rc.2, Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious user knows the ID. For the attack to succeed, the attacker needs a user account in Graylog. They can then proceed to issue hand-crafted requests to the Graylog REST API and exploit a weak permission check for token creation. This issue has been patched in versions 6.2.4 and 6.3.0-rc.2. A workaround involves disabling the respective configuration found in System > Configuration > Users > "Allow users to create personal access tokens".

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 12 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Graylog ≫ Graylog Version >= 6.2.0 < 6.2.4

Graylog ≫ Graylog Version6.3.0 Update-

Graylog ≫ Graylog Version6.3.0 Updatealpha1

Graylog ≫ Graylog Version6.3.0 Updatealpha2

Graylog ≫ Graylog Version6.3.0 Updatealpha3

Graylog ≫ Graylog Version6.3.0 Updatealpha4

Graylog ≫ Graylog Version6.3.0 Updatebeta1

Graylog ≫ Graylog Version6.3.0 Updatebeta2

Graylog ≫ Graylog Version6.3.0 Updatebeta3

Graylog ≫ Graylog Version6.3.0 Updatebeta4

Graylog ≫ Graylog Version6.3.0 Updatebeta5

Graylog ≫ Graylog Version6.3.0 Updaterc1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.5%	0.387

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8.8	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-3m86-c9x3-vwm9

Third Party Advisory

https://github.com/Graylog2/graylog2-server/commit/6936bd16a783c2944a3d2f1e83902062520f90e3

Patch

https://github.com/Graylog2/graylog2-server/commit/9215b8f1fd32566c31e6f7447ed864df3590c157

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-53106

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-53106

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-53106

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-53106