Skip to main content

MISP CVE-2026-9084

| EUVDEUVD-2026-31123 MEDIUM
Improper Authentication (CWE-287)
2026-05-20 CIRCL GHSA-5895-8h7c-2833
6.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
May 20, 2026 - 16:03 vuln.today
Analysis Generated
May 20, 2026 - 16:03 vuln.today

DescriptionCVE.org

MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim’s email address and authenticate as that user, leading to account takeover.

AnalysisAI

Account takeover in MISP's OidcAuth plugin (versions 2.5.0 through 2.5.37) enables an unauthenticated attacker holding a valid OIDC token from an insecure or untrusted IdP to authenticate as any local MISP user whose account has a NULL stored sub value. The vulnerability arises because the plugin unconditionally trusted the OIDC email claim to link identities to existing local accounts without verifying email ownership, bypassing authentication controls entirely (CWE-287). No public exploit has been identified and the vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 6.0 reflects adjacent network vector and high complexity conditions that constrain realistic exposure.

Technical ContextAI

MISP's OidcAuth plugin is a CakePHP-based authentication component located at app/Plugin/OidcAuth/Lib/Oidc.php. During OIDC login, the plugin correlates the incoming token's sub claim to a local MISP user record. For accounts created locally (i.e., never previously authenticated via OIDC), the sub field is NULL. The vulnerable code branch checked for a sub mismatch - correctly rejecting tokens where the stored sub differed - but contained no guard against the NULL sub case, causing it to silently accept any token whose email claim matched an existing local account. This maps directly to CWE-287 (Improper Authentication): ownership of the asserted email identity was never validated. The fix, committed to the MISP repository at 71f5662c1b5886613d2cd5c72fd93bb4ca6fa172, introduces two new opt-in configuration flags - OidcAuth.allow_email_linking (default: false) and OidcAuth.require_email_verified (default: true) - disabling the email-linking behavior by default and requiring email_verified=true when it is re-enabled. Affected CPE is cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*.

RemediationAI

Apply the upstream fix from the MISP GitHub repository at https://github.com/MISP/MISP/commit/71f5662c1b5886613d2cd5c72fd93bb4ca6fa172, which changes the default behavior of the OidcAuth plugin to deny email-based identity linking. As an immediate compensating control prior to patching, explicitly set OidcAuth.allow_email_linking = false in MISP's configuration - this mirrors the patched default and blocks automatic linking of OIDC identities to accounts with a NULL sub. If email-based linking must remain enabled for account migration purposes, additionally set OidcAuth.require_email_verified = true (also the patched default) and verify that the configured IdP enforces email ownership and issues the email_verified=true claim reliably; enabling linking against an IdP that does not provide this guarantee reintroduces the vulnerability. Disabling the OidcAuth plugin entirely for deployments that do not require OIDC is a zero-risk mitigation with no functional impact on local-auth users. Monitor the official MISP releases at https://github.com/MISP/MISP/releases for a tagged version incorporating this fix.

More in Misp

View all
CVE-2018-19908 HIGH POC
8.8 Dec 06

An issue was discovered in MISP 2.4.9x before 2.4.99. Rated high severity (CVSS 8.8), this vulnerability is remotely exp

CVE-2022-29528 CRITICAL POC
9.8 Apr 20

An issue was discovered in MISP before 2.4.158. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2022-48328 CRITICAL POC
9.8 Feb 20

app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_de

CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2022-29534 HIGH POC
7.5 Apr 20

An issue was discovered in MISP before 2.4.158. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab

CVE-2023-37306 HIGH POC
7.5 Jun 30

MISP 2.4.172 mishandles different certificate file extensions in server sync. Rated high severity (CVSS 7.5), this vulne

CVE-2021-41326 CRITICAL
9.8 Sep 17

In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. R

CVE-2018-12649 CRITICAL
9.8 Jun 22

An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. Rated critical severity (CVSS 9.8), this v

CVE-2020-15411 CRITICAL
9.8 Jun 30

An issue was discovered in MISP 2.4.128. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2020-29006 CRITICAL
9.8 Nov 24

MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyEleme

CVE-2021-35502 CRITICAL
9.8 Jun 25

app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data rel

CVE-2021-39302 CRITICAL
9.8 Aug 19

MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. Rated

Share

CVE-2026-9084 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy