Graylog Security Notice – Escalated Privilege Vulnerability
Date: 24 June 2025
Severity: High
CVE ID: submitted, publication pending
Product/Component Affected: All Graylog Editions – Open, Enterprise and Security
Summary
We have identified a security vulnerability in Graylog that could allow a local or authenticated user to escalate privileges beyond what is assigned. This issue has been assigned a severity rating of High. If successfully exploited, an attacker could gain elevated access and perform unauthorized actions within the affected environment.
Affected Versions
Graylog Versions 6.2.0, 6.2.1, 6.2.2 and 6.2.3
Impact
Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious actor knows the ID.
For the vulnerability to be exploited, an attacker would require a user account in Graylog. Once authenticated, the malicious actor can proceed to issue hand-crafted requests to the Graylog REST API and exploit a weak permission check for token creation.
Workaround
In Graylog version 6.2.0 and above, regular users can be restricted from creating API tokens. The respective configuration can be found in System > Configuration > Users > “Allow users to create personal access tokens”. This option should be Disabled, so that only administrators are allowed to create tokens.
Full Resolution
A fix has been released in Graylog Version 6.2.4. We strongly advise all affected users to apply the patch as soon as possible.
Recommended Actions
Check Audit Log (Graylog Enterprise, Graylog Security only)
Graylog Enterprise and Graylog Security provide an audit log that can be used to review which API tokens were created when the system was vulnerable. Please search the Audit Log for action: create token and match the Actor with the user for whom the token was created. In most cases this should be the same user, but there might be legitimate reasons for users to be allowed to create tokens for other users. If in doubt, please review the user’s actual permissions.
Review API token creation requests
Graylog Open does not provide audit logging, but many setups contain infrastructure components, like reverse proxies, in front of the Graylog REST API. These components often provide HTTP access logs. Please check the access logs to detect malicious token creations by reviewing all API token requests to the /api/users/{user_id}/tokens/{token_name) endpoint ( {user_id) and {token_name) may be arbitrary strings).
Graylog Cloud Customers
Please note: All Graylog Cloud environments have already been updated to version 6.2.4 and have also been successfully audited for any attempt to exploit this privilege escalation vulnerability.
