GCVE-1-2026-20046

Vulnerability from gna-1 – Published: 2026-06-11 13:07 – Updated: 2026-06-11 13:08
VLAI
Title
MISP may be exposed to CSRF attacks when Sec-Fetch-Site enforcement is disabled
Summary
MISP instances with the Security.check_sec_fetch_site_header setting disabled may be exposed to cross-site request forgery attacks against state-changing endpoints, including automation endpoints. A remote unauthenticated attacker could craft a malicious web page or link that causes the browser of an authenticated MISP user to issue POST, PUT, or AJAX requests to the affected instance. If accepted by the application, those requests may be processed with the privileges of the victim user. This issue is configuration-dependent. The upstream change introduces an administrative security warning for instances where Security.check_sec_fetch_site_header is not enabled. Enabling this setting is recommended because it restricts relevant requests to cases where the Sec-Fetch-Site header is absent or indicates same-origin. Operators of multi-homed instances should test before enabling, as this protection may interfere with deployments that are accessed through multiple hostnames or addresses. Affected configuration: Security.check_sec_fetch_site_header = false Recommended mitigation: Enable Security.check_sec_fetch_site_header where compatible with the deployment, and validate legitimate workflows on instances served under multiple hostnames.
CWE
  • CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
Vendor Product Version
misp misp Affected: 0 , < 2.5.39 (semver)
Create a notification for this product.
Credits
Andras Iklody (the Insomniac MISP lead dev) José Pedro Moço

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "misp",
          "repo": "https://github.com/MISP/MISP",
          "vendor": "misp",
          "versions": [
            {
              "lessThan": "2.5.39",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Andras Iklody"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Jos\u00e9 Pedro Mo\u00e7o"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMISP instances with the \u003ccode\u003eSecurity.check_sec_fetch_site_header\u003c/code\u003e setting disabled may be exposed to cross-site request forgery attacks against state-changing endpoints, including automation endpoints. A remote unauthenticated attacker could craft a malicious web page or link that causes the browser of an authenticated MISP user to issue POST, PUT, or AJAX requests to the affected instance. If accepted by the application, those requests may be processed with the privileges of the victim user.\u003c/p\u003e\u003cp\u003eThis issue is configuration-dependent. The upstream change introduces an administrative security warning for instances where \u003ccode\u003eSecurity.check_sec_fetch_site_header\u003c/code\u003e is not enabled. Enabling this setting is recommended because it restricts relevant requests to cases where the \u003ccode\u003eSec-Fetch-Site\u003c/code\u003e header is absent or indicates \u003ccode\u003esame-origin\u003c/code\u003e. Operators of multi-homed instances should test before enabling, as this protection may interfere with deployments that are accessed through multiple hostnames or addresses.\u003c/p\u003e\u003cp\u003eAffected configuration:\u003cbr\u003e\u003ccode\u003eSecurity.check_sec_fetch_site_header = false\u003c/code\u003e\u003c/p\u003e\u003cp\u003eRecommended mitigation:\u003cbr\u003eEnable \u003ccode\u003eSecurity.check_sec_fetch_site_header\u003c/code\u003e where compatible with the deployment, and validate legitimate workflows on instances served under multiple hostnames.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "MISP instances with the Security.check_sec_fetch_site_header setting disabled may be exposed to cross-site request forgery attacks against state-changing endpoints, including automation endpoints. A remote unauthenticated attacker could craft a malicious web page or link that causes the browser of an authenticated MISP user to issue POST, PUT, or AJAX requests to the affected instance. If accepted by the application, those requests may be processed with the privileges of the victim user.\n\nThis issue is configuration-dependent. The upstream change introduces an administrative security warning for instances where Security.check_sec_fetch_site_header is not enabled. Enabling this setting is recommended because it restricts relevant requests to cases where the Sec-Fetch-Site header is absent or indicates same-origin. Operators of multi-homed instances should test before enabling, as this protection may interfere with deployments that are accessed through multiple hostnames or addresses.\n\nAffected configuration:\nSecurity.check_sec_fetch_site_header = false\n\nRecommended mitigation:\nEnable Security.check_sec_fetch_site_header where compatible with the deployment, and validate legitimate workflows on instances served under multiple hostnames."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-62",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-62 Cross Site Request Forgery"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "CLEAR",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/U:Clear",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "orgId": "00000000-0000-4000-9000-000000000000"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/MISP/MISP/commit/b82db1bcaa550689c05e1ed175e81f25a8d97b91"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "MISP may be exposed to CSRF attacks when Sec-Fetch-Site enforcement is disabled",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "00000000-0000-4000-9000-000000000000",
    "datePublished": "2026-06-11T13:07:22.129989Z",
    "dateUpdated": "2026-06-11T13:08:27.777574Z",
    "requesterUserId": "00000000-0000-4000-9000-000000000000",
    "serial": 1,
    "state": "PUBLISHED",
    "vulnId": "gcve-1-2026-20046"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…