Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Low-privilege authentication required (read-only API key); no scope change; impact limited to event data integrity with no confidentiality or availability loss.
Primary rating from Vendor (5a6e4751-2f3f-4070-9419-94fb35b644e8).
CVSS VectorVendor: 5a6e4751-2f3f-4070-9419-94fb35b644e8
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An authorization bypass in MISP’s EventsController::importModule() allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the misp_standard format, the write path did not verify event modification rights before saving the module output. This could allow a view-only user to inject or alter event data, impacting the integrity of MISP event content. The issue was fixed by enforcing the same modification-rights check used by related module result handling paths before processing misp_standard imports.
AnalysisAI
Authorization bypass in MISP's EventsController::importModule() allows authenticated users or read-only API key holders with event view access to persist unauthorized data modifications to events. When an import module returns results in the misp_standard format, the write path skips the modification-rights check applied by all other module result handling paths, allowing a view-only principal to inject or overwrite event content they have no permission to edit. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session or a valid read-only API key with event view access on the target MISP instance - unauthenticated access is insufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.3 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N) accurately reflects a medium-severity integrity-only flaw requiring low-privilege authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a legitimate read-only API key - obtained through standard registration, credential theft, or insider access - authenticates to a MISP instance and invokes an import module that returns results in the misp_standard format. Because the write path does not verify modification rights for this format, the module output is persisted to the target event, allowing the attacker to inject false indicators, alter existing threat intelligence entries, or corrupt event metadata on events they have no write permission to modify. |
| Remediation | Update MISP to a version incorporating commit d0725fc34fda256cc57e5a8f0543cd541033e008 - the exact first patched release tag is not independently confirmed from available data, so administrators should verify against the MISP release changelog and upgrade to the latest available release beyond 2.5.42. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42239
GHSA-frwx-j879-pmqv