Ddos 
A vulnerability was found in Graylog—a popular Security Information and Event Management (SIEM) solution. Tracked as CVE-2025-53106 and scoring 8.8 on the CVSS v4 scale, this critical flaw allows privilege escalation via API token abuse, threatening the security posture of organizations relying on Graylog for centralized log analytics and event monitoring.
According to the advisory, malicious users with a valid Graylog account can craft API requests to gain elevated privileges. “Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious user knows the ID,” the advisory states.
The vulnerability is due to a weak permission check in the token creation process of the Graylog REST API. If exploited, this could allow attackers to generate tokens impersonating other users, including administrators.
The flaw affects all Graylog versions from 6.2.0 and above, but has been patched in versions 6.2.4 and 6.3.0-rc.2. If your deployment falls within the affected range and has not yet been updated, you’re potentially leaving the door wide open to privilege escalation attacks.
Organizations not yet able to upgrade can mitigate the risk by tweaking user permissions. The advisory recommends:
“In Graylog version 6.2.0 and above, regular users can be restricted from creating API tokens… This option should be Disabled, so that only administrators are allowed to create tokens.”
This simple configuration change under System > Configuration > Users > “Allow users to create personal access tokens” could block exploit attempts until a full upgrade is possible.
After upgrading, administrators are urged to review existing API tokens via System > Users and Teams > Token Management to ensure no unauthorized tokens persist.
For Graylog Enterprise users, the Audit Log feature becomes essential. “Please search the Audit Log for action:create token and match the Actor with the user for whom the token was created,” the advisory suggests.
Even for those using Graylog Open, logs from reverse proxies can help track suspicious token creation requests—particularly those targeting the endpoint:
Donate