Graylog Web Interface 2.2.3 is vulnerable to session mismanagement that allows attackers to reuse old session tokens to gain unauthorized access to administrative functions and sensitive API data.

This is a session invalidation vulnerability where the application generates new session IDs but fails to revoke previous ones. An attacker who has previously obtained or intercepted a valid session token can continue to authenticate requests even after the legitimate user has re-authenticated or logged out.

A successful exploit allows for persistent, unauthorized access to the Graylog management console and its associated APIs. Given the critical CVSS score of 9.8, this flaw poses a severe risk to data integrity and confidentiality, as Graylog often handles sensitive log data from across an entire enterprise infrastructure. Unauthorized access could lead to the exposure of proprietary logs or the modification of system configurations.

Immediate Action: Update the Graylog Web Interface to the latest stable version provided by the vendor to ensure proper session lifecycle management.

Proactive Monitoring: Review web server and API logs for multiple concurrent sessions originating from different IP addresses for the same user account.

Compensating Controls: Implement short session timeouts and enforce multi-factor authentication (MFA) to reduce the window of opportunity for token reuse.

Public Exploit Available: No

The severity of this vulnerability stems from the failure of a core security boundary—session management. Organizations must prioritize updating Graylog instances immediately. Failure to remediate this flaw leaves the door open for long-term persistence by malicious actors who have gained access to session identifiers.