Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (CIRCL) · only source for this CVE.
CVSS VectorVendor: CIRCL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submit shadow attribute proposals could provide the identifier of an existing ShadowAttribute and cause that record to be updated instead of creating a new proposal.
This can result in unauthorized modification of existing shadow attributes, potentially affecting proposals associated with events the user should not be able to alter. Depending on deployment configuration and accessible API responses, the issue may also expose or move proposal data across event contexts.
The vulnerability is caused by trusting a client-supplied primary key during object creation. The fix removes the id field from incoming ShadowAttribute data before processing, ensuring that the endpoint always creates a new proposal rather than updating an existing one. This has been fixed in MISP 2.5.38.
AnalysisAI
Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submission privileges to overwrite arbitrary existing ShadowAttribute records by supplying a target id within the add proposal request. The framework's ORM interprets a client-supplied primary key as an update directive, breaking the boundary between proposal creation and modification. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform built on the CakePHP framework, which uses Active Record-style ORM semantics where a supplied primary key (id) on a save() call is interpreted as an UPDATE rather than an INSERT. The vulnerability is a textbook CWE-639 Authorization Bypass Through User-Controlled Key: the ShadowAttributesController::add() action in app/Controller/ShadowAttributesController.php accepted the entire request payload under the ShadowAttribute key without scrubbing the id field before passing it to the model layer. ShadowAttributes represent community proposals to edit existing event attributes, so manipulation of these records subverts MISP's review/approval workflow that data-sharing communities rely on for integrity.
RemediationAI
Vendor-released patch: upgrade to MISP 2.5.38 or later, which adds an explicit unset($this->request->data['ShadowAttribute']['id']) in the add() controller action before the save operation, ensuring proposal submissions always create rather than update records (see https://github.com/MISP/MISP/commit/49911b1d4b6e4517d803e50e3d980aaa4d37c16d). If immediate upgrade is not feasible, operators can apply the one-line cherry-pick of that commit to ShadowAttributesController.php, or temporarily restrict shadow attribute submission privileges to highly trusted users via the MISP role permissions interface (this disables a core collaborative proposal workflow and is only suitable as a short-term measure). Enabling audit logging on the ShadowAttributes table and reviewing recent UPDATE operations on shadow_attributes for anomalous edits by accounts that should only be inserting is recommended to detect any pre-patch abuse; expect log volume to grow noticeably on active instances.
An issue was discovered in MISP 2.4.9x before 2.4.99. Rated high severity (CVSS 8.8), this vulnerability is remotely exp
An issue was discovered in MISP before 2.4.158. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo
app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_de
SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m
An issue was discovered in MISP before 2.4.158. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab
MISP 2.4.172 mishandles different certificate file extensions in server sync. Rated high severity (CVSS 7.5), this vulne
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. R
An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. Rated critical severity (CVSS 9.8), this v
An issue was discovered in MISP 2.4.128. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyEleme
app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data rel
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. Rated
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31151
GHSA-hfjr-4239-84fm