SB20260625125 - Multiple vulnerabilities in Graylog

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper Neutralization of Special Elements (CVE-ID: CVE-2026-55841)

CWE-ID: CWE-138 - Improper Neutralization of Special Elements

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to modify or delete log message fields and cause log messages to be discarded.

The vulnerability exists due to improper neutralization of special elements in the syslog message parser when parsing key-value formatted syslog messages. A remote attacker can send a specially crafted syslog message to modify or delete log message fields and cause log messages to be discarded.

This can enable log evasion techniques that obscure malicious activity.

2) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-55867)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to delete other users' access tokens.

The vulnerability exists due to improper access control in the token revocation endpoint when handling token revocation requests. A remote user can supply a valid token identifier belonging to another user to delete other users' access tokens.

The issue does not expose token contents, but service account tokens and administrator tokens can also be deleted.

Remediation

Install update from vendor's website.

References

• https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-gqr6-r77p-c2pj
• https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-j769-9gv9-65gr