Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker’s privileges, this could allow unauthorized modification of user account attributes and impact account integrity.
The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation.
AnalysisAI
Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify other users' account attributes by submitting a crafted User.id parameter in edit requests. The UsersController::edit() function failed to strip user-supplied identifiers before processing, enabling cross-account modifications. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session on a MISP instance running version 2.5.38 or earlier, network reachability to the /users/edit endpoint, and the ability to send a modified POST/PUT containing an attacker-controlled User[id] field in the request body. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/VC:L/VI:H/SI:H) yields a 9.0 base score driven by high integrity impact on both vulnerable and subsequent systems, with the AT:P (attack requirements present) reflecting that an attacker needs an authenticated session on the target instance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with any authenticated MISP account (for example a low-privileged community member) navigates to their own user edit page and intercepts the form submission, then injects a User[id] parameter pointing at an administrator's user ID. The crafted POST is accepted by UsersController::edit() and the ORM writes the attacker-supplied attribute changes (such as email, role association, or other editable fields) to the targeted administrator account, enabling account takeover or privilege escalation within the threat-sharing community. |
| Remediation | Upstream fix available (commit 1be8c41 in the MISP/MISP repository); a released patched version tag was not independently confirmed from the provided data, but operators should upgrade to the first MISP release following 2.5.38 containing this commit, available via https://github.com/MISP/MISP/commit/1be8c413b7104a889dfd30c5b1986e3ab17238e8. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all MISP deployments and current versions; review authentication and edit request logs for suspicious User.id parameter modifications; restrict platform access to essential personnel only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m
Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe
Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin
Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to
Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u
LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers
Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu
Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to
Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio
OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot
Authorization bypass in MISP versions through 2.5.38 lets authenticated users delete records via HTTP DELETE requests ev
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34289
GHSA-h7wj-m45x-884x