MISP
Description
Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing
Website
Product names
misp, misp-project, misp_project, malware_information_sharing_platform
Related organizations
CVE-2026-54398 (GCVE-0-2026-54398)
Vulnerability from – Published: 2026-06-12 21:08 – Updated: 2026-06-12 21:08
VLAI
Title
MISP object edit authorization bypass allows unauthorized sharing group assignment
Summary
An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use.
An attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.
Severity
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/4fe48c523e669… | patch |
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"repo": "https://github.com/misp/misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.40",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
},
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn authorization flaw in MISP\u2019s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use.\u003c/p\u003e\u003cp\u003eAn attacker could craft a request with \u003ccode\u003edistribution\u003c/code\u003e set to \u003ccode\u003e4\u003c/code\u003e and an arbitrary \u003ccode\u003esharing_group_id\u003c/code\u003e, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "An authorization flaw in MISP\u2019s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use.\n\nAn attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
},
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T21:08:15.574Z",
"orgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"shortName": "CIRCL"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/4fe48c523e66999d65f99fdec9508adb3aa1c0f3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MISP object edit authorization bypass allows unauthorized sharing group assignment",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"assignerShortName": "CIRCL",
"cveId": "CVE-2026-54398",
"datePublished": "2026-06-12T21:08:15.574Z",
"dateReserved": "2026-06-12T21:08:11.128Z",
"dateUpdated": "2026-06-12T21:08:15.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54397 (GCVE-0-2026-54397)
Vulnerability from – Published: 2026-06-12 20:55 – Updated: 2026-06-12 20:55
VLAI
Title
MISP event editing allows unauthorized assignment to undisclosed sharing groups
Summary
A vulnerability in MISP’s non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event’s sharing_group_id to a sharing group they were not authorized to use. When distribution was set to sharing group distribution, the non-REST save path accepted the submitted sharing_group_id without performing the same sharing group authorization check enforced by the REST edit path.
An attacker could exploit this by tampering with the event edit request and assigning an event to an undisclosed or unauthorized sharing group. This could result in unauthorized use of restricted sharing groups, disclosure of the sharing group name in event listings, and unintended modification of the event’s distribution metadata.
The issue is fixed by validating that the selected sharing group can be used by the current user when the sharing group is changed, and by clearing sharing_group_id when the event distribution is not set to sharing group distribution.
Severity
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/609ff6c785d7d… | patch |
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.40",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in MISP\u2019s non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event\u2019s \u003ccode\u003esharing_group_id\u003c/code\u003e to a sharing group they were not authorized to use. When \u003ccode\u003edistribution\u003c/code\u003e was set to sharing group distribution, the non-REST save path accepted the submitted \u003ccode\u003esharing_group_id\u003c/code\u003e without performing the same sharing group authorization check enforced by the REST edit path.\u003c/p\u003e\u003cp\u003eAn attacker could exploit this by tampering with the event edit request and assigning an event to an undisclosed or unauthorized sharing group. This could result in unauthorized use of restricted sharing groups, disclosure of the sharing group name in event listings, and unintended modification of the event\u2019s distribution metadata.\u003c/p\u003e\u003cp\u003eThe issue is fixed by validating that the selected sharing group can be used by the current user when the sharing group is changed, and by clearing \u003ccode\u003esharing_group_id\u003c/code\u003e when the event distribution is not set to sharing group distribution.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A vulnerability in MISP\u2019s non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event\u2019s sharing_group_id to a sharing group they were not authorized to use. When distribution was set to sharing group distribution, the non-REST save path accepted the submitted sharing_group_id without performing the same sharing group authorization check enforced by the REST edit path.\n\nAn attacker could exploit this by tampering with the event edit request and assigning an event to an undisclosed or unauthorized sharing group. This could result in unauthorized use of restricted sharing groups, disclosure of the sharing group name in event listings, and unintended modification of the event\u2019s distribution metadata.\n\nThe issue is fixed by validating that the selected sharing group can be used by the current user when the sharing group is changed, and by clearing sharing_group_id when the event distribution is not set to sharing group distribution."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:55:53.051Z",
"orgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"shortName": "CIRCL"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/609ff6c785d7dae41d22ef43dda9347d34cd2a58"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MISP event editing allows unauthorized assignment to undisclosed sharing groups",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"assignerShortName": "CIRCL",
"cveId": "CVE-2026-54397",
"datePublished": "2026-06-12T20:55:53.051Z",
"dateReserved": "2026-06-12T20:55:46.737Z",
"dateUpdated": "2026-06-12T20:55:53.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54396 (GCVE-0-2026-54396)
Vulnerability from – Published: 2026-06-12 20:48 – Updated: 2026-06-12 20:48
VLAI
Title
MISP AuthKey edit endpoint allows authenticated user email enumeration
Summary
An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body.
Severity
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/42737f4e88df8… | patch |
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"repo": "https://github.com/misp/misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.40",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled \u003ccode\u003eAuthKey.user_id\u003c/code\u003e value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body."
}
],
"value": "An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body."
}
],
"impacts": [
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:48:18.723Z",
"orgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"shortName": "CIRCL"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/42737f4e88df801486334690913dd344e447fac3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MISP AuthKey edit endpoint allows authenticated user email enumeration",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"assignerShortName": "CIRCL",
"cveId": "CVE-2026-54396",
"datePublished": "2026-06-12T20:48:18.723Z",
"dateReserved": "2026-06-12T20:46:44.530Z",
"dateUpdated": "2026-06-12T20:48:18.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54395 (GCVE-0-2026-54395)
Vulnerability from – Published: 2026-06-12 20:36 – Updated: 2026-06-12 20:36
VLAI
Title
MISP UiBeta event index reflected XSS in advanced filter popup
Summary
MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before JavaScript parsing, a crafted searcheventinfo value can restore encoded quote characters and break out of the JavaScript string. An attacker could craft a malicious URL that, when opened by a victim using the UiBeta event index, executes arbitrary JavaScript in the victim’s browser in the context of the MISP instance. The issue is fixed by encoding the value as a JavaScript string literal with json_encode() before applying HTML escaping at the attribute layer.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/b865deb036ca8… | patch |
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"repo": "https://github.com/misp/misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.40",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The \u003ccode\u003eurlparams\u003c/code\u003e value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before JavaScript parsing, a crafted \u003ccode\u003esearcheventinfo\u003c/code\u003e value can restore encoded quote characters and break out of the JavaScript string. An attacker could craft a malicious URL that, when opened by a victim using the UiBeta event index, executes arbitrary JavaScript in the victim\u2019s browser in the context of the MISP instance. The issue is fixed by encoding the value as a JavaScript string literal with \u003ccode\u003ejson_encode()\u003c/code\u003e before applying HTML escaping at the attribute layer."
}
],
"value": "MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before JavaScript parsing, a crafted searcheventinfo value can restore encoded quote characters and break out of the JavaScript string. An attacker could craft a malicious URL that, when opened by a victim using the UiBeta event index, executes arbitrary JavaScript in the victim\u2019s browser in the context of the MISP instance. The issue is fixed by encoding the value as a JavaScript string literal with json_encode() before applying HTML escaping at the attribute layer."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:36:09.244Z",
"orgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"shortName": "CIRCL"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/b865deb036ca82dab272be260798f562034ba9ae"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MISP UiBeta event index reflected XSS in advanced filter popup",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"assignerShortName": "CIRCL",
"cveId": "CVE-2026-54395",
"datePublished": "2026-06-12T20:36:09.244Z",
"dateReserved": "2026-06-12T20:34:55.208Z",
"dateUpdated": "2026-06-12T20:36:09.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54394 (GCVE-0-2026-54394)
Vulnerability from – Published: 2026-06-12 20:30 – Updated: 2026-06-12 20:30
VLAI
Title
MISP organisation logo path traversal allows retrieval of arbitrary PNG/SVG files
Summary
MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as id, name, and uuid without ensuring that the resolved file remains inside the intended APP/files/img/orgs/ directory. An attacker able to influence an organisation field, for example the organisation name, could use path traversal sequences to cause MISP to return arbitrary readable .png or .svg files from outside the organisation logo directory. The issue is fixed by resolving candidate paths with realpath() and verifying that they remain under the expected base directory before serving the file.
Severity
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/b865deb036ca8… | patch |
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"repo": "https://github.com/misp/misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.40",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MISP contains a path traversal vulnerability in \u003ccode\u003eOrganisationsController::getOrgLogo\u003c/code\u003e. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as \u003ccode\u003eid\u003c/code\u003e, \u003ccode\u003ename\u003c/code\u003e, and \u003ccode\u003euuid\u003c/code\u003e without ensuring that the resolved file remains inside the intended \u003ccode\u003eAPP/files/img/orgs/\u003c/code\u003e directory. An attacker able to influence an organisation field, for example the organisation name, could use path traversal sequences to cause MISP to return arbitrary readable \u003ccode\u003e.png\u003c/code\u003e or \u003ccode\u003e.svg\u003c/code\u003e files from outside the organisation logo directory. The issue is fixed by resolving candidate paths with \u003ccode\u003erealpath()\u003c/code\u003e and verifying that they remain under the expected base directory before serving the file."
}
],
"value": "MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as id, name, and uuid without ensuring that the resolved file remains inside the intended APP/files/img/orgs/ directory. An attacker able to influence an organisation field, for example the organisation name, could use path traversal sequences to cause MISP to return arbitrary readable .png or .svg files from outside the organisation logo directory. The issue is fixed by resolving candidate paths with realpath() and verifying that they remain under the expected base directory before serving the file."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:30:25.887Z",
"orgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"shortName": "CIRCL"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/b865deb036ca82dab272be260798f562034ba9ae"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MISP organisation logo path traversal allows retrieval of arbitrary PNG/SVG files",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"assignerShortName": "CIRCL",
"cveId": "CVE-2026-54394",
"datePublished": "2026-06-12T20:30:25.887Z",
"dateReserved": "2026-06-12T20:30:17.302Z",
"dateUpdated": "2026-06-12T20:30:25.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54393 (GCVE-0-2026-54393)
Vulnerability from – Published: 2026-06-12 20:21 – Updated: 2026-06-12 20:21
VLAI
Title
MISP Overmind theme stored XSS via unvalidated homepage setting
Summary
A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypassing the normal setSetting() validation logic, including validate_homepage, which requires homepage paths to start with /. As a result, an authenticated user could store an arbitrary homepage value, including an XSS payload.
The stored value was later rendered in app/View/News/index.ctp as the href attribute of the “Continue to homepage” link without HTML escaping. This could allow execution of attacker-controlled JavaScript in the browser context of the affected MISP instance when the crafted homepage link is rendered and interacted with.
The issue is fixed by always persisting the homepage setting through setSetting(), ensuring validation and access checks are applied, and by HTML-escaping the homepage value before rendering it in the news view.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/d4733ca5d2fcc… | patch |
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"repo": "https://github.com/misp/misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.40",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The \u003ccode\u003esetHomePage\u003c/code\u003e endpoint previously saved the user-controlled \u003ccode\u003epath\u003c/code\u003e value through \u003ccode\u003esetSettingInternal()\u003c/code\u003e, bypassing the normal \u003ccode\u003esetSetting()\u003c/code\u003e validation logic, including \u003ccode\u003evalidate_homepage\u003c/code\u003e, which requires homepage paths to start with \u003ccode\u003e/\u003c/code\u003e. As a result, an authenticated user could store an arbitrary homepage value, including an XSS payload.\u003c/p\u003e\u003cp\u003eThe stored value was later rendered in \u003ccode\u003eapp/View/News/index.ctp\u003c/code\u003e as the \u003ccode\u003ehref\u003c/code\u003e attribute of the \u201cContinue to homepage\u201d link without HTML escaping. This could allow execution of attacker-controlled JavaScript in the browser context of the affected MISP instance when the crafted homepage link is rendered and interacted with.\u003c/p\u003e\u003cp\u003eThe issue is fixed by always persisting the homepage setting through \u003ccode\u003esetSetting()\u003c/code\u003e, ensuring validation and access checks are applied, and by HTML-escaping the homepage value before rendering it in the news view.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypassing the normal setSetting() validation logic, including validate_homepage, which requires homepage paths to start with /. As a result, an authenticated user could store an arbitrary homepage value, including an XSS payload.\n\nThe stored value was later rendered in app/View/News/index.ctp as the href attribute of the \u201cContinue to homepage\u201d link without HTML escaping. This could allow execution of attacker-controlled JavaScript in the browser context of the affected MISP instance when the crafted homepage link is rendered and interacted with.\n\nThe issue is fixed by always persisting the homepage setting through setSetting(), ensuring validation and access checks are applied, and by HTML-escaping the homepage value before rendering it in the news view."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:21:48.441Z",
"orgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"shortName": "CIRCL"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/d4733ca5d2fcceb12abc72ec6069f2484e3b8ec2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MISP Overmind theme stored XSS via unvalidated homepage setting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"assignerShortName": "CIRCL",
"cveId": "CVE-2026-54393",
"datePublished": "2026-06-12T20:21:48.441Z",
"dateReserved": "2026-06-12T20:21:32.243Z",
"dateUpdated": "2026-06-12T20:21:48.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54362 (GCVE-0-2026-54362)
Vulnerability from – Published: 2026-06-12 20:08 – Updated: 2026-06-12 20:08
VLAI
Title
MISP template builder exposes non-visible custom galaxies across organisations
Summary
An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user’s organisation or distributed beyond it used a PHP comparison expression instead of a query condition. As a result, enabled galaxies, including organisation-only custom galaxies belonging to other organisations, could be exposed in the template builder galaxy list. This could disclose metadata about private galaxy definitions to unauthorised users.
Severity
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/8aa2bb6d1af6e… | patch |
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"repo": "https://github.com/misp/misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.40",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user\u2019s organisation or distributed beyond it used a PHP comparison expression instead of a query condition. As a result, enabled galaxies, including organisation-only custom galaxies belonging to other organisations, could be exposed in the template builder galaxy list. This could disclose metadata about private galaxy definitions to unauthorised users."
}
],
"value": "An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user\u2019s organisation or distributed beyond it used a PHP comparison expression instead of a query condition. As a result, enabled galaxies, including organisation-only custom galaxies belonging to other organisations, could be exposed in the template builder galaxy list. This could disclose metadata about private galaxy definitions to unauthorised users."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:08:55.486Z",
"orgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"shortName": "CIRCL"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/8aa2bb6d1af6e8c57c8d8437cf203acb8bce7a53"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MISP template builder exposes non-visible custom galaxies across organisations",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"assignerShortName": "CIRCL",
"cveId": "CVE-2026-54362",
"datePublished": "2026-06-12T20:08:55.486Z",
"dateReserved": "2026-06-12T20:07:08.918Z",
"dateUpdated": "2026-06-12T20:08:55.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54357 (GCVE-0-2026-54357)
Vulnerability from – Published: 2026-06-12 19:25 – Updated: 2026-06-12 20:05
VLAI
Title
MISP improper authorization allows organization administrators to modify site administrator user settings
Summary
An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by organization membership but did not exclude higher-privileged site administrator users. As a result, an organization administrator could potentially view or alter site administrator user settings and related login profile information, crossing the intended privilege boundary between organization administration and site-wide administration.
The patch hardens the ACL logic by excluding site administrator accounts from organization administrator–managed user sets, adding explicit authorization failure when a target user is not administrable, and ensuring user setting and login profile operations fail closed.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/ed3d9b862dea4… | patch |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T20:04:59.211889Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:05:08.619Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"repo": "https://github.com/misp/misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.40",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HE WEI\uff08\u30ae\u30ab\u30af)"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by organization membership but did not exclude higher-privileged site administrator users. As a result, an organization administrator could potentially view or alter site administrator user settings and related login profile information, crossing the intended privilege boundary between organization administration and site-wide administration.\u003c/p\u003e\u003cp\u003eThe patch hardens the ACL logic by excluding site administrator accounts from organization administrator\u2013managed user sets, adding explicit authorization failure when a target user is not administrable, and ensuring user setting and login profile operations fail closed.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by organization membership but did not exclude higher-privileged site administrator users. As a result, an organization administrator could potentially view or alter site administrator user settings and related login profile information, crossing the intended privilege boundary between organization administration and site-wide administration.\n\nThe patch hardens the ACL logic by excluding site administrator accounts from organization administrator\u2013managed user sets, adding explicit authorization failure when a target user is not administrable, and ensuring user setting and login profile operations fail closed."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T19:25:32.339Z",
"orgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"shortName": "CIRCL"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/ed3d9b862dea4c8c8e9b620a5ad99ce0c2c82154"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MISP improper authorization allows organization administrators to modify site administrator user settings",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"assignerShortName": "CIRCL",
"cveId": "CVE-2026-54357",
"datePublished": "2026-06-12T19:25:32.339Z",
"dateReserved": "2026-06-12T19:25:24.593Z",
"dateUpdated": "2026-06-12T20:05:08.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54361 (GCVE-0-2026-54361)
Vulnerability from – Published: 2026-06-12 19:59 – Updated: 2026-06-12 19:59
VLAI
Title
MISP mass assignment vulnerabilities allow unauthorized modification of ownership and delegation records
Summary
MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-related fields such as id, org_id, orgc_id, and user_id.
An authenticated attacker with access to the affected endpoints could craft requests containing protected fields in order to alter object ownership, redirect an update to another record, overwrite existing event delegation requests, or modify shadow attribute proposals belonging to another organization. This could result in unauthorized modification of MISP objects and, depending on object visibility and sharing configuration, unauthorized access to or transfer of sensitive threat intelligence data.
The issue was fixed by explicitly pinning ownership and identity fields to their stored values during edit operations and by removing user-supplied primary keys from create-only save paths.
Affected components:
* CollectionsController::edit()
* EventDelegationsController::delegateEvent()
* ShadowAttributesController::edit()
* TagCollectionsController::edit()915
* TagCollectionsController::editWithTags()
Attack requirements:
The attacker must be authenticated and able to reach the affected MISP endpoints. No user interaction is required.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/9341690e9b6dd… | patch |
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"repo": "https://github.com/misp/misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.40",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-related fields such as \u003ccode\u003eid\u003c/code\u003e, \u003ccode\u003eorg_id\u003c/code\u003e, \u003ccode\u003eorgc_id\u003c/code\u003e, and \u003ccode\u003euser_id\u003c/code\u003e.\u003c/p\u003e\u003cp\u003eAn authenticated attacker with access to the affected endpoints could craft requests containing protected fields in order to alter object ownership, redirect an update to another record, overwrite existing event delegation requests, or modify shadow attribute proposals belonging to another organization. This could result in unauthorized modification of MISP objects and, depending on object visibility and sharing configuration, unauthorized access to or transfer of sensitive threat intelligence data.\u003c/p\u003e\u003cp\u003eThe issue was fixed by explicitly pinning ownership and identity fields to their stored values during edit operations and by removing user-supplied primary keys from create-only save paths.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAffected components:\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ccode\u003eCollectionsController::edit()\u003c/code\u003e\u003c/li\u003e\u003cli\u003e\u003ccode\u003eEventDelegationsController::delegateEvent()\u003c/code\u003e\u003c/li\u003e\u003cli\u003e\u003ccode\u003eShadowAttributesController::edit()\u003c/code\u003e\u003c/li\u003e\u003cli\u003e\u003ccode\u003eTagCollectionsController::edit()915\u003c/code\u003e\u003c/li\u003e\u003cli\u003e\u003ccode\u003eTagCollectionsController::editWithTags()\u003c/code\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eAttack requirements:\u003c/strong\u003e\u003cbr\u003eThe attacker must be authenticated and able to reach the affected MISP endpoints. No user interaction is required.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-related fields such as id, org_id, orgc_id, and user_id.\n\nAn authenticated attacker with access to the affected endpoints could craft requests containing protected fields in order to alter object ownership, redirect an update to another record, overwrite existing event delegation requests, or modify shadow attribute proposals belonging to another organization. This could result in unauthorized modification of MISP objects and, depending on object visibility and sharing configuration, unauthorized access to or transfer of sensitive threat intelligence data.\n\nThe issue was fixed by explicitly pinning ownership and identity fields to their stored values during edit operations and by removing user-supplied primary keys from create-only save paths.\n\nAffected components:\n\n * CollectionsController::edit()\n * EventDelegationsController::delegateEvent()\n * ShadowAttributesController::edit()\n * TagCollectionsController::edit()915\n * TagCollectionsController::editWithTags()\n\n\nAttack requirements:\nThe attacker must be authenticated and able to reach the affected MISP endpoints. No user interaction is required."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T19:59:58.787Z",
"orgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"shortName": "CIRCL"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/9341690e9b6dde7f0605edea5533e05ba7362e35"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MISP mass assignment vulnerabilities allow unauthorized modification of ownership and delegation records",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"assignerShortName": "CIRCL",
"cveId": "CVE-2026-54361",
"datePublished": "2026-06-12T19:59:58.787Z",
"dateReserved": "2026-06-12T19:59:41.236Z",
"dateUpdated": "2026-06-12T19:59:58.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54360 (GCVE-0-2026-54360)
Vulnerability from – Published: 2026-06-12 19:51 – Updated: 2026-06-12 19:51
VLAI
Title
MISP sharing group creation mass assignment allows unauthorized takeover of existing sharing groups
Summary
A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one.
An authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups.
Affected component:
app/Controller/SharingGroupsController.php, add() action
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/687e7cb530ae0… | patch |
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"repo": "https://github.com/misp/misp",
"vendor": "misp",
"versions": [
{
"lessThan": "2.5.40",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA mass assignment vulnerability exists in MISP\u2019s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied \u003ccode\u003eid\u003c/code\u003e field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a \u003ccode\u003ecreate()\u003c/code\u003e followed by \u003ccode\u003esave()\u003c/code\u003e operation to update an existing record instead of creating a new one.\u003c/p\u003e\u003cp\u003eAn authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAffected component:\u003c/strong\u003e\u003cbr\u003e\u003ccode\u003eapp/Controller/SharingGroupsController.php\u003c/code\u003e, \u003ccode\u003eadd()\u003c/code\u003e action\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A mass assignment vulnerability exists in MISP\u2019s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one.\n\nAn authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups.\n\nAffected component:\napp/Controller/SharingGroupsController.php, add() action"
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T19:51:44.187Z",
"orgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"shortName": "CIRCL"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/687e7cb530ae0e2faaadf5e3e44712258fb3ef1b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "MISP sharing group creation mass assignment allows unauthorized takeover of existing sharing groups",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"assignerShortName": "CIRCL",
"cveId": "CVE-2026-54360",
"datePublished": "2026-06-12T19:51:44.187Z",
"dateReserved": "2026-06-12T19:51:37.078Z",
"dateUpdated": "2026-06-12T19:51:44.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
displaying 1 - 10 organizations in total 133