Graylog Security Notice – Escalated Privilege Vulnerability
Date: 24 June 2025
Severity: High
CVE ID: submitted, publication pending
Product/Component Affected: All Graylog Editions – Open, Enterprise and Security
Summary
We have identified a security vulnerability in Graylog that could allow a local or authenticated user to escalate privileges beyond what is assigned. This issue has been assigned a severity rating of High. If successfully exploited, an attacker could gain elevated access and perform unauthorized actions within the affected environment.
Affected Versions
Graylog Versions 6.2.0, 6.2.1, 6.2.2 and 6.2.3
Impact
Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious actor knows the ID.
For the vulnerability to be exploited, an attacker would require a user account in Graylog. Once authenticated, the malicious actor can proceed to issue hand-crafted requests to the Graylog REST API and exploit a weak permission check for token creation.
Update June 30th, 2025: Please see CVE-2025-53106 for details
Workaround
In Graylog version 6.2.0 and above, regular users can be restricted from creating API tokens. The respective configuration can be found in System > Configuration > Users > “Allow users to create personal access tokens”. This option should be Disabled, so that only administrators are allowed to create tokens.
Full Resolution
A fix has been released in Graylog Version 6.2.4. We strongly advise all affected users to apply the patch as soon as possible.
Recommended Actions
Check Audit Log (Graylog Enterprise, Graylog Security only)
Graylog Enterprise and Graylog Security provide an audit log that can be used to review which API tokens were created when the system was vulnerable. Please search the Audit Log for action: create token and match the Actor with the user for whom the token was created. In most cases this should be the same user, but there might be legitimate reasons for users to be allowed to create tokens for other users. If in doubt, please review the user’s actual permissions.
Review API token creation requests
Graylog Open does not provide audit logging, but many setups contain infrastructure components, like reverse proxies, in front of the Graylog REST API. These components often provide HTTP access logs. Please check the access logs to detect malicious token creations by reviewing all API token requests to the /api/users/{user_id}/tokens/{token_name) endpoint ( {user_id) and {token_name) may be arbitrary strings).
Graylog Cloud Customers
Please note: All Graylog Cloud environments have already been updated to version 6.2.4 and have also been successfully audited for any attempt to exploit this privilege escalation vulnerability.
About Graylog
At Graylog, our vision is a secure digital world where organizations of all sizes can effectively guard against cyber threats. We’re committed to turning this vision into reality by providing Threat Detection & Response that sets the standard for excellence. Our cloud-native architecture delivers SIEM, API Security, and Enterprise Log Management solutions that are not just efficient and effective—whether hosted by us, on-premises, or in your cloud—but also deliver a fantastic Analyst Experience at the lowest total cost of ownership. We aim to equip security analysts with the best tools for the job, empowering every organization to stand resilient in the ever-evolving cybersecurity landscape.
About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.