Skip to main content

MISP CVE-2026-10855

| EUVDEUVD-2026-34259 MEDIUM
Missing Authorization (CWE-862)
2026-06-04 CIRCL GHSA-243v-5f97-vfq3
5.1
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (CIRCL) · only source for this CVE.

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 04, 2026 - 16:24 vuln.today
Analysis Generated
Jun 04, 2026 - 16:24 vuln.today
CVSS changed
Jun 04, 2026 - 14:22 NVD
5.1 (MEDIUM)
CVE Published
Jun 04, 2026 - 13:05 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the existing template. As a result, an authenticated user with access to the template import functionality could forcibly overwrite an event template owned by another organization.

Successful exploitation could allow unauthorized modification of another organization’s event template, potentially altering template structure, attributes, or metadata used for subsequent event creation or sharing workflows. Site administrators are not affected by this restriction, as they are explicitly allowed to overwrite templates across organizations.

The issue was fixed by enforcing an ownership check before overwrite: non-site-admin users may only overwrite templates owned by their own organization.

AnalysisAI

Authorization bypass in MISP's Event Template Importer allows authenticated users with template import privileges to overwrite event templates owned by other organizations on the same shared instance, violating inter-organizational data ownership boundaries. Versions up to and including 2.5.38 are affected; the overwrite workflow confirmed template existence but omitted an organizational ownership check, enabling cross-org template corruption. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with MISP import-privileged account
Delivery
Enumerate target organization's template UUID via MISP API or UI
Exploit
Craft overwrite-mode import request with malicious template payload
Execution
Submit HTTP request bypassing org ownership check
Impact
Target organization's event template overwritten with attacker-controlled content

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) an authenticated MISP account with the template import role permission enabled - this is not a default low-privilege capability; (2) knowledge of a target event template UUID belonging to a different organization on the same MISP instance, obtainable via the MISP UI or API; and (3) the import request submitted explicitly in overwrite mode. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 scores this 5.1 (Medium) with vector AV:N/AC:L/AT:N/PR:H/UI:N, reflecting network reachability and low attack complexity but a high privilege requirement (PR:H) - the attacker must already hold an authenticated account with template import capability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated MISP user with template import privileges on a shared multi-organization instance identifies the UUID of an event template owned by a target organization - obtainable through normal MISP template browsing. The attacker submits an HTTP import request in overwrite mode referencing that UUID with a crafted template payload; the pre-patch server replaces the victim organization's template without checking ownership. …
Remediation The upstream fix is available via commit 7c2200d143bef86aaf58d701b6968a843097db69 at https://github.com/MISP/MISP/commit/7c2200d143bef86aaf58d701b6968a843097db69; operators should upgrade MISP to the first tagged release incorporating this commit (the release immediately following 2.5.38 - confirm the exact version tag in the MISP GitHub releases list, as the precise patched release version was not confirmed in available data). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Misp

View all
CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2026-56423 CRITICAL
9.4 Jun 22

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe

CVE-2026-56422 CRITICAL
9.4 Jun 22

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2026-56447 CRITICAL
9.3 Jun 22

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to

CVE-2026-10868 CRITICAL
9.0 Jun 04

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o

CVE-2025-67906 CRITICAL
9.0 Dec 15

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u

CVE-2026-39962 HIGH
8.8 Apr 09

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers

CVE-2026-56446 HIGH
8.7 Jun 22

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu

CVE-2026-44380 HIGH
8.6 May 13

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to

CVE-2026-9136 HIGH
8.3 May 20

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio

CVE-2026-10611 HIGH
8.2 Jun 02

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot

Share

CVE-2026-10855 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy