CVE-2025-53106 is a high-severity improper authorization vulnerability (CWE-285) affecting Graylog2's graylog2-server versions 6.2.0 up to but not including 6.2.4, and 6.3.0-alpha.1 up to but not including 6.3.0-rc.2. Graylog is an open-source log management platform widely used for centralized log collection, analysis, and monitoring. The vulnerability allows an attacker with a valid Graylog user account to escalate privileges by exploiting a weak permission check in the Graylog REST API's token creation functionality. Specifically, an attacker who knows the user ID of the local Administrator or any other user can craft API requests to create personal access tokens impersonating that user, effectively gaining elevated privileges. This attack requires authentication (a valid user account) and some user interaction to send crafted API requests. The vulnerability arises from insufficient authorization controls on the API endpoint responsible for token creation, allowing users with limited privileges to create tokens for higher-privileged accounts. The issue has been patched in Graylog versions 6.2.4 and 6.3.0-rc.2. As a workaround, administrators can disable the "Allow users to create personal access tokens" setting in System > Configuration > Users to prevent token creation by users. The CVSS 4.0 base score is 8.8 (high), reflecting network attack vector, low attack complexity, partial authentication required, user interaction needed, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the vulnerability presents a significant risk due to the potential for privilege escalation within critical log management infrastructure.

For European organizations, this vulnerability poses a significant risk to the security and integrity of centralized logging systems. Graylog servers often collect sensitive operational, security, and compliance-related logs, which if compromised, can lead to unauthorized access to critical information, tampering with logs, or disruption of monitoring capabilities. An attacker exploiting this flaw could gain administrative privileges, allowing them to manipulate logs to cover malicious activities, disable alerting, or exfiltrate sensitive data. This undermines incident detection and response efforts, potentially leading to prolonged undetected breaches. Organizations in regulated sectors such as finance, healthcare, and government are particularly at risk due to strict compliance requirements around log integrity and audit trails. The requirement for a valid user account limits the attack surface but insider threats or compromised user credentials could be leveraged. The high severity and ease of exploitation via network requests make timely patching or mitigation critical to prevent privilege escalation and maintain trust in log data integrity.

1. Immediate upgrade to Graylog versions 6.2.4 or later, or 6.3.0-rc.2 or later, where the vulnerability is patched. 2. As an interim mitigation, disable the "Allow users to create personal access tokens" option in System > Configuration > Users to prevent token creation by non-administrative users. 3. Implement strict access controls and monitoring on Graylog user accounts, especially those with administrative privileges, including enforcing strong authentication mechanisms and regular credential audits. 4. Monitor Graylog API usage logs for unusual token creation requests or access patterns indicative of exploitation attempts. 5. Employ network segmentation and firewall rules to restrict access to the Graylog REST API only to trusted hosts and users. 6. Conduct regular security assessments and penetration testing focused on Graylog deployments to detect potential abuse of authorization mechanisms. 7. Educate users on the risks of credential compromise and enforce multi-factor authentication (MFA) where possible to reduce the risk of account takeover.