Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible MISP UI (AV:N/AC:L), requires org-admin privileges (PR:H), no victim interaction (UI:N), and full compromise of the MISP instance once a same-org site admin is taken over (C/I/A:H).
Primary rating from Vendor (5a6e4751-2f3f-4070-9419-94fb35b644e8).
CVSS VectorVendor: 5a6e4751-2f3f-4070-9419-94fb35b644e8
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within their own organization, but did not exclude accounts assigned a site administrator role from recipient queries. As a result, an organization administrator could perform privileged account-management actions, such as initiating a password reset workflow, against a higher-privileged site administrator account in the same organization.
Successful exploitation may allow an authenticated organization administrator to interfere with or potentially take over a site administrator account, resulting in privilege escalation and full compromise of the MISP instance’s confidentiality, integrity, and availability.
Attack prerequisites: The attacker must be authenticated as an organization administrator in the same organization as a site administrator account.
AnalysisAI
Privilege escalation in MISP (Malware Information Sharing Platform) allows an authenticated organization administrator to target site administrator accounts within their own organization via the administrative email functionality, enabling privileged actions such as triggering a password-reset workflow against a higher-privileged user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. Successful exploitation results in full takeover of the targeted site admin account and complete compromise of the MISP instance.
Technical ContextAI
MISP is an open-source threat intelligence sharing platform written in PHP (CakePHP framework). The flaw lives in app/Controller/UsersController.php in the admin_quickEmail and admin_email actions, which build recipient queries scoped to the organization administrator's own organization but fail to also filter out users assigned a site-administrator role. This is a textbook CWE-863 (Incorrect Authorization) defect: the authorization check enforces organizational tenancy but omits role-based tenancy across the privilege hierarchy, so org-admin tooling can reach into the higher-trust site-admin tier whenever the two roles co-exist in the same organization.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed - apply commit 146795489abef478c8f595ecde2501c32482b81e from https://github.com/MISP/MISP/commit/146795489abef478c8f595ecde2501c32482b81e or upgrade to the first tagged MISP release that includes it. As a compensating control until patched, move all site administrator accounts out of any organization that also contains organization administrators (placing site admins in a dedicated administrative-only organization removes the precondition entirely), and audit existing org-admin assignments to confirm none share an organization with a site admin; the trade-off is operational friction for environments that intentionally co-locate roles. Additionally, monitor MISP audit logs for use of the admin_quickEmail and admin_email endpoints by non-site-admin users and alert on password-reset emails delivered to site administrator accounts.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36550
GHSA-9cgp-f46x-4wgf