Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable REST endpoints (AV:N), any authenticated edit-capable user suffices (PR:L, AC:L), no UI; authorization bypass crosses tenant boundary so S:C, with full CIA impact on other orgs' data.
Primary rating from Vendor (CIRCL).
CVSS VectorVendor: CIRCL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object.
In affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user’s context.
The fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit() primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub’s patch for 7acf8220c describes this central issue as CRUDComponent::edit() copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save() to update an arbitrary row unless the loaded ID is re-pinned.
AnalysisAI
Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to any one authorized object to overwrite, re-parent, or transfer ownership of objects belonging to other users or organizations by submitting crafted REST/form payloads containing attacker-chosen primary keys and ownership foreign keys. The root cause is CRUDComponent::edit() mass-assigning payload-supplied IDs (id, event_id, org_id, user_id, sharing_group_id, etc.) onto the already-loaded record, so CakePHP's save() updates a different row than the one the authorization check validated. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold a valid authenticated MISP account with edit permission on at least one object on the target instance (the normal state for any MISP user, including federated sync users and low-privileged contributors); no admin role, no user interaction, and no special site configuration is required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is high for any MISP instance with multiple users or organizations, because the prerequisite (any authenticated account with edit access to at least one object) is the normal state for every MISP user. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a low-privileged MISP user account on a federated instance, then issues a REST PUT/POST to an edit endpoint they are authorized to touch (e.g., editing one of their own events) while embedding a different organization's event_id or object id in the JSON body. MISP's CRUDComponent::edit() loads the attacker's authorized row, passes the check, then save()s the payload - including the injected primary key - overwriting or re-parenting the victim organization's object, transferring ownership, or scoping it to an attacker-controlled sharing group. … |
| Remediation | Upstream fix available (commits, not a tagged release announced in the input); released patched version not independently confirmed - administrators should pull the listed MISP/MISP commits (starting with 7acf8220cafac58bcfb362da37aca512fe4bb396 and the 14 companion commits referenced in the CVE) or upgrade to the next MISP point release that incorporates them, per https://github.com/MISP/MISP/commit/7acf8220cafac58bcfb362da37aca512fe4bb396. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: verify no unauthorized object modifications in MISP audit logs and isolate any multi-tenant or shared MISP instances if patch cannot be applied immediately. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m
Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin
Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to
Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o
Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u
LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers
Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu
Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to
Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio
OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot
Authorization bypass in MISP versions through 2.5.38 lets authenticated users delete records via HTTP DELETE requests ev
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38225
GHSA-mf7v-x7r6-fq57