Skip to main content

MISP CVE-2026-54397

| EUVDEUVD-2026-36577 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-12 CIRCL GHSA-4qr4-pqwx-m352
6.1
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
6.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.4 MEDIUM

Network-accessible web form; attacker submits crafted request directly (no other user interaction); scope change applies as the attacker accesses sharing group resources outside their authorization boundary.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (CIRCL).

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 12, 2026 - 21:21 vuln.today
Analysis Generated
Jun 12, 2026 - 21:21 vuln.today

DescriptionCVE.org

A vulnerability in MISP’s non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event’s sharing_group_id to a sharing group they were not authorized to use. When distribution was set to sharing group distribution, the non-REST save path accepted the submitted sharing_group_id without performing the same sharing group authorization check enforced by the REST edit path.

An attacker could exploit this by tampering with the event edit request and assigning an event to an undisclosed or unauthorized sharing group. This could result in unauthorized use of restricted sharing groups, disclosure of the sharing group name in event listings, and unintended modification of the event’s distribution metadata.

The issue is fixed by validating that the selected sharing group can be used by the current user when the sharing group is changed, and by clearing sharing_group_id when the event distribution is not set to sharing group distribution.

AnalysisAI

Unauthorized sharing group assignment in MISP's non-REST event edit path allows any authenticated event editor to assign an event to a restricted sharing group they are not a member of by tampering with submitted form data. The REST API path enforced sharing group authorization via Event::_edit(), but the web form save path wrote sharing_group_id directly from POST data without equivalent validation - a classic split-path authorization gap (CWE-863). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to MISP with event editor account
Delivery
Navigate to target event edit form
Exploit
Intercept outgoing HTTP POST via proxy
Execution
Modify sharing_group_id to unauthorized group ID with distribution=4
Persist
Submit tampered request to non-REST edit endpoint
Impact
Restricted sharing group name surfaces in event index listing

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid MISP user account with event editing permissions (PR:L in CVSS terms) - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.1 with vector AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N reflects a medium-severity finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated MISP user with event edit permissions uses a browser proxy tool to intercept the HTTP POST request submitted when saving an event edit, modifies the sharing_group_id parameter to the numeric ID of a sharing group they are not authorized to use, and resubmits the request to the non-REST edit endpoint. MISP saves the event with the unauthorized sharing_group_id, and the restricted sharing group's name subsequently appears in the event index listing, disclosing its existence to the attacker and any observers of that event.
Remediation Upstream fix is available as commit 609ff6c785d7dae41d22ef43dda9347d34cd2a58 at https://github.com/MISP/MISP/commit/609ff6c785d7dae41d22ef43dda9347d34cd2a58; a released patched version number was not independently confirmed from available data - administrators should apply this commit or update to the latest MISP release from the official repository. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Misp

View all
CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2026-56423 CRITICAL
9.4 Jun 22

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe

CVE-2026-56422 CRITICAL
9.4 Jun 22

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2026-56447 CRITICAL
9.3 Jun 22

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to

CVE-2026-10868 CRITICAL
9.0 Jun 04

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o

CVE-2025-67906 CRITICAL
9.0 Dec 15

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u

CVE-2026-39962 HIGH
8.8 Apr 09

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers

CVE-2026-56446 HIGH
8.7 Jun 22

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu

CVE-2026-44380 HIGH
8.6 May 13

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to

CVE-2026-9136 HIGH
8.3 May 20

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio

CVE-2026-10611 HIGH
8.2 Jun 02

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot

Share

CVE-2026-54397 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy