CVE-2025-53106: 
Java vulnerability analysis and mitigation

CVE-2025-53106 is a high-severity vulnerability affecting Graylog versions 6.2.0 and above, discovered and disclosed on June 30, 2025. The vulnerability exists in the Graylog server application and affects the API token creation functionality. The issue has been patched in versions 6.2.4 and 6.3.0-rc.2 (GitHub Advisory).

The vulnerability stems from a weak permission check in the API token creation process. The flaw allows users to exploit the Graylog REST API through hand-crafted requests to create API tokens for any user whose ID is known to the attacker. The vulnerability has received a CVSS v4.0 score of 8.8 (High), with the following vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (GitHub Advisory).

When successfully exploited, this vulnerability enables privilege escalation by allowing users to gain elevated privileges through the creation and use of API tokens for the local Administrator or any other user whose ID is known. The attack requires an existing user account in Graylog but can lead to unauthorized access and potential system compromise (GitHub Advisory).

As an immediate workaround, administrators can disable the ability for regular users to create API tokens through System > Configuration > Users > 'Allow users to create personal access tokens'. After upgrading to a patched version, administrators should review existing API tokens, check the Audit Log (in Enterprise version) for suspicious token creations, and review API token creation requests in access logs. The permanent fix is to upgrade to versions 6.2.4 or 6.3.0-rc.2 (GitHub Advisory).