Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable CSRF requires victim to visit attacker page (UI:R) with active MISP session; no auth needed by attacker (PR:N); integrity-only impact on MISP data and config.
Primary rating from Vendor (5a6e4751-2f3f-4070-9419-94fb35b644e8).
CVSS VectorVendor: 5a6e4751-2f3f-4070-9419-94fb35b644e8
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site header. A remote unauthenticated attacker could craft a malicious web page that causes an authenticated MISP user’s browser to issue cross-site requests to MISP automation endpoints. If successful, the forged requests may be processed with the privileges of the victim user, potentially allowing unauthorized modification of MISP data or configuration. Enabling Security.check_sec_fetch_site_header mitigates this issue, although operators of multi-homed MISP deployments should validate the setting before enforcing it.
AnalysisAI
Cross-site request forgery in MISP (Malware Information Sharing Platform) stems from the Security.check_sec_fetch_site_header control shipping disabled by default, leaving state-changing automation endpoints unprotected against browser-issued cross-origin requests. A remote attacker hosting a malicious page can coerce an authenticated MISP user's browser into submitting forged POST/PUT/AJAX requests that execute with the victim's privileges, enabling unauthorized data or configuration changes. No public exploit identified at time of analysis, and the issue is not in CISA KEV.
Technical ContextAI
MISP is an open-source threat intelligence sharing platform written in PHP (CakePHP). Modern browsers attach the Sec-Fetch-Site fetch metadata header to outgoing requests, indicating whether the request originated same-origin, same-site, cross-site, or from user navigation; servers can use this signal to cheaply reject cross-site state-changing requests. MISP exposes a Security.check_sec_fetch_site_header server setting that, when enabled, rejects state-changing requests lacking an acceptable Sec-Fetch-Site value, but the default is off. The root cause class is CWE-352 (Cross-Site Request Forgery): automation endpoints accept side-effecting requests without verifying the originator, so an authenticated user's session cookies are sufficient to authorize forged requests. The upstream commit b82db1bcaa550689c05e1ed175e81f25a8d97b91 in app/Model/Server.php adds a testSecFetchSiteHeader validator that emits a warning when the setting is left disabled, but does not flip the default to enabled, presumably to preserve compatibility with multi-homed deployments where legitimate cross-host navigation would be blocked.
RemediationAI
Upstream fix available (commit b82db1bcaa550689c05e1ed175e81f25a8d97b91); released patched version not independently confirmed, so operators should pull the latest MISP release that includes this commit and then explicitly set Security.check_sec_fetch_site_header to true in the MISP server settings to enforce Sec-Fetch-Site validation on state-changing requests. Note that the patch itself only adds an operator-facing warning rather than flipping the default, so applying the upgrade without changing the setting leaves the instance exposed. Operators of multi-homed MISP deployments (the same instance reachable under multiple hostnames, common with reverse proxies or split-horizon DNS) should test the setting in staging first, because enabling it can break legitimate cross-host navigation between aliases of the same instance; if multi-homing is required, consolidate to a single canonical hostname behind the proxy or restrict the automation endpoints with an authenticating reverse proxy and per-session CSRF tokens as compensating controls. Until the setting is enabled, restrict MISP web UI access to a VPN or trusted IP ranges to reduce the population of browsers an attacker can target.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36551
GHSA-g8rg-9w6v-v9gv