Summary
Workarounds
In Graylog version 6.2.0 and above, regular users can be restricted from creating API tokens. The respective configuration can be found in System > Configuration > Users > "Allow users to create personal access tokens". This option should be Disabled, so that only administrators are allowed to create tokens.
Recommended Actions
After upgrading Graylog from a vulnerable version to a patched version, administrators are advised to perform the following steps to ensure the integrity of their system:
Review API tokens
An overview of all existing API tokens is available at System > Users and Teams > Token Management. Please review this list carefully and ensure each token is there for a reason.
Check Audit Log (Graylog Enterprise only)
Graylog Enterprise provides an audit log that can be used to review which API tokens were created when the system was vulnerable. Please search the Audit Log for action:create token and match the Actor with the user for whom the token was created. In most cases this should be the same user, but there might be legitimate reasons for users to be allowed to create tokens for other users. If in doubt, please review the user's actual permissions.
Review API token creation requests
Graylog Open does not provide audit logging, but many setups contain infrastructure components, like reverse proxies, in front of the Graylog REST API. These components often provide HTTP access logs. Please check the access logs to detect malicious token creations by reviewing all API token requests to the /api/users/{user_id}/tokens/{token_name} endpoint ({user_id} and {token_name} may be arbitrary strings).
Impact
Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious user knows the ID.
For the attack to succeed, the attacker needs a user account in Graylog. They can then proceed to issue hand-crafted requests to the Graylog REST API and exploit a weak permission check for token creation.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
org.graylog2:graylog2-server to 6.2.4 or later; org.graylog2:graylog2-server to 6.3.0-rc.2 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2025-53106? CVE-2025-53106 is a high-severity security vulnerability in org.graylog2:graylog2-server (maven), affecting versions >= 6.2.0, < 6.2.4. It is fixed in 6.2.4, 6.3.0-rc.2.
- Which versions of org.graylog2:graylog2-server are affected by CVE-2025-53106? org.graylog2:graylog2-server (maven) versions >= 6.2.0, < 6.2.4 is affected.
- Is there a fix for CVE-2025-53106? Yes. CVE-2025-53106 is fixed in 6.2.4, 6.3.0-rc.2. Upgrade to this version or later.
- Is CVE-2025-53106 exploitable, and should I be worried? Whether CVE-2025-53106 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-53106 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-53106?
- Upgrade
org.graylog2:graylog2-serverto 6.2.4 or later - Upgrade
org.graylog2:graylog2-serverto 6.3.0-rc.2 or later
- Upgrade