CVE-2026-1436 is an Improper Access Control vulnerability classified under CWE-639, affecting Graylog Web Interface version 2.2.3. The flaw exists in the Graylog API endpoint that handles user profile access, specifically at the URL pattern 'http://<IP>:12900/users/<user_id>'. The API fails to enforce object-level authorization, allowing an authenticated user to manipulate the user ID parameter in the URL to retrieve other users' profile data without proper permission checks. This results in an Insecure Direct Object Reference (IDOR) scenario where sensitive information such as user names, email addresses, internal identifiers, and last activity details can be disclosed. The vulnerability requires the attacker to be authenticated but does not require any additional privileges or user interaction, making it relatively easy to exploit remotely. The CVSS 4.0 base score is 7.1 (high), reflecting the network attack vector, low attack complexity, no privileges required beyond authentication, and high impact on confidentiality. The vulnerability does not affect integrity or availability and is not mitigated by any security controls. No patches or exploit code are currently publicly available, but the risk remains significant for affected environments. The vulnerability was published in February 2026 and assigned by INCIBE.

For European organizations, the primary impact is unauthorized disclosure of sensitive user information stored within Graylog's user profiles. This can lead to privacy violations under GDPR, reputational damage, and potential targeted phishing or social engineering attacks leveraging exposed user details. Organizations that use Graylog 2.2.3 for centralized log management and monitoring are at risk of internal data leakage if an attacker gains authenticated access. While the vulnerability does not allow modification or deletion of data, the exposure of internal identifiers and activity logs can aid attackers in further reconnaissance or lateral movement within the network. The impact is particularly critical for sectors with strict data protection requirements such as finance, healthcare, and government agencies in Europe. Additionally, unauthorized access to user profiles may violate compliance mandates and result in regulatory penalties.

Immediate mitigation involves upgrading Graylog to a version where this vulnerability is patched; however, no patch links are currently provided, so contacting Graylog support or monitoring official channels for updates is essential. In the interim, organizations should restrict access to the Graylog Web Interface and API to trusted networks and authenticated users only, employing network segmentation and firewall rules to limit exposure. Implement multi-factor authentication (MFA) to reduce the risk of compromised credentials being exploited. Audit and monitor access logs for unusual activity, especially repeated access attempts to user profile endpoints. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block suspicious URL parameter manipulation. Review and tighten user role permissions within Graylog to minimize the number of users with access to sensitive API endpoints. Finally, conduct internal security awareness training to highlight the risks of credential compromise and the importance of secure access.