How to fix or mitigate CVE-2026-54360?

Within 24 hours: audit all users with add-sharing-group permission in MISP and document current sharing group configurations and ownership. Within 7 days: restrict add-sharing-group permission to essential administrative personnel only, enable full audit logging of sharing group modifications, and manually verify all sharing group memberships for unauthorized changes. Within 30 days: monitor MISP vendor advisory for patched version release and deploy immediately upon availability.

MISP CVE-2026-54360

Q: What is the CVSS score of CVE-2026-54360?

CVE-2026-54360 has a CVSS 4.0 base score of 8.4 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

Q: Which versions of MISP are affected by CVE-2026-54360?

MISP's sharing group control feature is vulnerable to unauthorized takeover by authenticated users with add-sharing-group permission (CVE-2026-54360, CVSS 8.4), allowing them to hijack existing…. A patch is available.

EUVD-2026-36552 HIGH

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-06-12 5a6e4751-2f3f-4070-9419-94fb35b644e8

GHSA-j794-65mg-q3vf

Authentication Bypass PHP

8.4

CVSS 4.0 · Vendor: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Severity by source

Vendor (5a6e4751-2f3f-4070-9419-94fb35b644e8) PRIMARY

8.4 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

9.6 CRITICAL

Network-reachable add endpoint exploitable by any authenticated user with the add-sharing-group role (PR:L, AC:L); scope changes because the vulnerable controller modifies another org's authorization boundary; high C and I on shared data, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:L/SA:N

Primary rating from Vendor (5a6e4751-2f3f-4070-9419-94fb35b644e8).

CVSS VectorVendor: 5a6e4751-2f3f-4070-9419-94fb35b644e8

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch available

Jun 12, 2026 - 21:01 EUVD

Source Code Evidence Fetched

Jun 12, 2026 - 20:33 vuln.today

Analysis Generated

Jun 12, 2026 - 20:33 vuln.today

DescriptionCVE.org

A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one.

An authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups.

Affected component: app/Controller/SharingGroupsController.php, add() action

Articles & Coverage 1

News 3 New PHP Vulnerabilities - 2 Critical, 1 High Severity Jun 13, 2026

AnalysisAI

Mass assignment in MISP's sharing group creation endpoint allows authenticated users with add-sharing-group permission to hijack arbitrary existing sharing groups by submitting the target group's primary key in the add() request. The CakePHP create()+save() pattern treats a supplied id as an update, bypassing the normal edit ACL on app/Controller/SharingGroupsController.php and exposing confidentiality and integrity of shared threat intelligence. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to MISP with add-sharing-group role

Delivery

Enumerate or guess target sharing group id

Exploit

POST to /sharing_groups/add with target id in payload

Execution

CakePHP save() updates target row, bypassing edit ACL

Persist

Attacker org joins privileged sharing group

Impact

Read or tamper with shared intelligence

Access

Authenticate to MISP with add-sharing-group role

Delivery

Enumerate or guess target sharing group id

Exploit

POST to /sharing_groups/add with target id in payload

Execution

CakePHP save() updates target row, bypassing edit ACL

Persist

Attacker org joins privileged sharing group

Impact

Read or tamper with shared intelligence

Vulnerability AssessmentAI

Exploitation	Attacker needs an authenticated MISP account with the 'add sharing group' permission (a non-administrative role commonly granted to org admins and analysts), network reachability to the MISP web UI/API, and knowledge or enumeration of the integer id of the sharing group they wish to hijack. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 4.0 base 8.4 reflects network-reachable exploitation at low complexity with only low privileges (PR:L), high confidentiality impact on the vulnerable system, and a high subsequent-system confidentiality impact because compromised sharing groups expose data from other MISP organizations. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An analyst account in a multi-tenant MISP instance is granted the routine 'add sharing group' permission. The attacker submits a POST to /sharing_groups/add with a valid sharing group payload plus the numeric id of a privileged sharing group belonging to another organization; CakePHP's save() silently updates that target group, letting the attacker add their own org to it and read or alter all events shared through it.
Remediation	Upstream fix available (PR/commit); released patched version not independently confirmed - apply the change in MISP commit 687e7cb530ae0e2faaadf5e3e44712258fb3ef1b, which adds unset($sg['id']) in SharingGroupsController::add() to strip the user-controlled primary key before save (https://github.com/MISP/MISP/commit/687e7cb530ae0e2faaadf5e3e44712258fb3ef1b), and upgrade to the next tagged MISP release that includes it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit all users with add-sharing-group permission in MISP and document current sharing group configurations and ownership. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48030 CRITICAL Act Now

9.9 Jun 09

Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission

CVE-2026-52778 CRITICAL Act Now

9.8 Jun 08

Remote code execution in YesWiki prior to 4.6.6 allows unauthenticated attackers to inject arbitrary PHP via the Bazar C

CVE-2026-45060 CRITICAL Act Now

9.8 Jun 11

Unauthenticated blind SQL injection in ClipBucket v5 prior to version 5.5.3 - #129 allows remote attackers to exfiltrate

CVE-2026-38615 CRITICAL Act Now

9.8 Jun 09

DedeCMS V5.7.118 is vulnerable to Command Execution in file_manage_control.php.

CVE-2026-38581 CRITICAL Act Now