Vulnerability Lookup

🛡️ CVE-2024-52506

🟠 CVSS 8.0 — High ⚠️ Exploit Public CWE-200 NVD

8.0

CVSS Score

0 Low4 Medium7 High9 Critical10

Description

Graylog is a free and open log management platform. The reporting functionality in Graylog allows the creation and scheduling of reports which contain dashboard widgets displaying individual log messages or metrics aggregated from fields of multiple log messages. This functionality, as included in Graylog 6.1.0 & 6.1.1, is vulnerable to information leakage triggered by multiple concurrent report rendering requests from authorized users. When multiple report renderings are requested at the same start time, the headless browser instance used to render the PDF will be reused. Depending on the timing, either a check for the browser instance "freshness" hits, resulting in an error instead of the report being returned, or one of the concurrent report rendering requests "wins" and this report is returned for all report rendering requests that do not return an error. This might lead to one user getting the report of a different user, potentially leaking indexed log messages or aggregated data that this user normally has no access to. This problem is fixed in Graylog 6.1.2. There is no known workaround besides disabling the reporting functionality.

Details

Severity MEDIUM

CVSS Score 8.0

CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE CWE-200

Public Exploit ⚠️ Yes

Source NVD

Published 2024-11-18

Updated 2026-06-02

Modified 2025-11-03

Fix URL https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-vggm-3478-vm5m

Affected Packages

Software	From version	Fixed in
graylog	6.1.0	6.1.2
org.graylog:graylog-parent	6.1.0	6.1.2

References

Patch, Third Party Advisory https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-vggm-3478-vm5m

Exploit, Third Party Advisory https://www.vicarius.io/vsociety/posts/cve-2024-52506-detect-graylog-vulnerability

Exploit, Third Party Advisory https://www.vicarius.io/vsociety/posts/cve-2024-52506-mitigate-graylog-vulnerability

🔗 NVD 🔗 Mitre ✅ Fix / Advisory

Similar Threats

Critical CVE-2026-1435
Medium CVE-2026-1436
Medium CVE-2026-1437
Medium CVE-2026-1438
Medium CVE-2026-1439

Patch Gap Protection

Running software with known vulnerabilities?

BotEraser can help reduce exposure by blocking IPs associated with exploit activity — even before a patch is available.

Start Free →

No credit card required · Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.

Running software with known vulnerabilities?

Company

Resources

Services

Trusted

Subscribe