Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable admin UI (AV:N/AC:L), requires site_admin (PR:H), no user interaction, code execution as MISP user breaks out of the application sandbox to the OS (S:C) with full CIA impact.
Primary rating from Vendor (CIRCL).
CVSS VectorVendor: CIRCL
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as plugin.library.paths to load an external library, resulting in arbitrary code execution with the privileges of the MISP process. An attacker could leverage a MISP-writable location, such as an uploaded file or administrative image, to host the malicious configuration file.
The issue is fixed by restricting the setting to absolute .ini files located only in approved configuration directories outside the webroot and MISP upload targets.
AnalysisAI
Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to load an attacker-controlled INI file, which is parsed and passed to rdkafka with options such as plugin.library.paths to load an arbitrary shared library. The flaw (CWE-829, inclusion of functionality from untrusted control sphere) yields code execution as the MISP process user; no public exploit identified at time of analysis, but a vendor patch is available.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated MISP site administrator account (the Server Settings UI/API is restricted to site_admin role) on a MISP instance where the Kafka_rdkafka_config setting is writable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.0 of 9.3 is driven by AV:N/AC:L with high confidentiality, integrity and subsequent-system impact, but PR:H is the key moderator - only a MISP site administrator can change server settings, so this is a privilege-escalation/persistence primitive rather than a perimeter-breaching RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A MISP site administrator (legitimate insider, or attacker who has phished/hijacked an admin session or API key) uploads a malicious shared library disguised as an attachment or organisation logo, then uploads a small INI file containing plugin.library.paths=/var/www/MISP/app/files/<id>/payload.so. They navigate to Administration → Server Settings, set Kafka_rdkafka_config to the INI file path, and trigger any Kafka-publishing action; rdkafka dlopen()s the payload and the attacker gains code execution as the www-data/apache user. … |
| Remediation | Upstream fix is available as commit 9600d486ccfc98388e13897fd954350cebac5fb0 (https://github.com/MISP/MISP/commit/9600d486ccfc98388e13897fd954350cebac5fb0); upgrade to the first MISP release that incorporates this commit and verify that Server::testKafkaRdkafkaConfig (or the equivalent path validator) restricts the setting to absolute .ini files in approved configuration directories. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all MISP deployments and confirm current versions against vendor advisory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m
Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe
Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin
Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o
Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u
LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers
Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu
Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to
Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio
OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot
Authorization bypass in MISP versions through 2.5.38 lets authenticated users delete records via HTTP DELETE requests ev
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38231
GHSA-834x-pvxg-xh58