Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible with low authentication (PR:L) required; no scope change as impact is confined to MISP's own sharing metadata; no availability impact.
Primary rating from Vendor (CIRCL).
CVSS VectorVendor: CIRCL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An improper authorization check in MISP’s attribute creation endpoint allowed an authenticated user with permission to add attributes to submit a sharing_group_id without triggering the corresponding sharing group authorization check, as long as the attribute distribution value was not explicitly set to 4 - “sharing group”.
As a result, a user could reference or associate an attribute with a sharing group they were not authorized to use. This could lead to an access-control bypass affecting the integrity of attribute sharing metadata and potentially expose or misuse restricted sharing group relationships.
The patch changes the authorization logic so that the sharing group permission check is performed whenever a non-empty sharing_group_id is provided, regardless of the selected distribution value.
AnalysisAI
MISP's attribute creation endpoint contains an authorization bypass allowing authenticated users with attribute-creation permissions to associate attributes with sharing groups they are not authorized to access. The flaw arises because the sharing group permission check was gated exclusively on the distribution field being set to 4 (sharing group mode), meaning a user could submit any non-empty sharing_group_id with a different distribution value and bypass the check entirely. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be an authenticated MISP user holding the 'add attribute' permission - a role typically granted to analysts and contributors, not just administrators. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (Medium) appropriately reflects a network-accessible, low-complexity attack requiring low privileges with limited confidentiality and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated MISP user with standard attribute-creation permissions sends a crafted POST request to the attribute creation API endpoint, setting sharing_group_id to the ID of a restricted sharing group they are not a member of while using a distribution value of 1, 2, or 3 (anything other than 4). Because the authorization check is never triggered for non-4 distribution values, the server accepts the request and associates the attribute with the restricted sharing group, bypassing access controls. … |
| Remediation | Update MISP to a version that includes commit df612166538e2979fae9f7eda88345ccc8fee761 (https://github.com/MISP/MISP/commit/df612166538e2979fae9f7eda88345ccc8fee761), which corrects the authorization logic to perform the sharing group membership check whenever a non-empty sharing_group_id is submitted, regardless of the distribution value. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue was discovered in MISP 2.4.9x before 2.4.99. Rated high severity (CVSS 8.8), this vulnerability is remotely exp
An issue was discovered in MISP before 2.4.158. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo
app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_de
SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m
An issue was discovered in MISP before 2.4.158. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab
MISP 2.4.172 mishandles different certificate file extensions in server sync. Rated high severity (CVSS 7.5), this vulne
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. R
An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. Rated critical severity (CVSS 9.8), this v
An issue was discovered in MISP 2.4.128. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyEleme
app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data rel
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. Rated
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42601
GHSA-x9x8-26mr-9wmm