Skip to main content

MISP EUVDEUVD-2026-31151

| CVE-2026-9136 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-20 CIRCL GHSA-hfjr-4239-84fm
8.3
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (CIRCL) · only source for this CVE.

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
May 20, 2026 - 20:05 vuln.today
Analysis Generated
May 20, 2026 - 20:05 vuln.today

DescriptionCVE.org

A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submit shadow attribute proposals could provide the identifier of an existing ShadowAttribute and cause that record to be updated instead of creating a new proposal.

This can result in unauthorized modification of existing shadow attributes, potentially affecting proposals associated with events the user should not be able to alter. Depending on deployment configuration and accessible API responses, the issue may also expose or move proposal data across event contexts.

The vulnerability is caused by trusting a client-supplied primary key during object creation. The fix removes the id field from incoming ShadowAttribute data before processing, ensuring that the endpoint always creates a new proposal rather than updating an existing one. This has been fixed in MISP 2.5.38.

AnalysisAI

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submission privileges to overwrite arbitrary existing ShadowAttribute records by supplying a target id within the add proposal request. The framework's ORM interprets a client-supplied primary key as an update directive, breaking the boundary between proposal creation and modification. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform built on the CakePHP framework, which uses Active Record-style ORM semantics where a supplied primary key (id) on a save() call is interpreted as an UPDATE rather than an INSERT. The vulnerability is a textbook CWE-639 Authorization Bypass Through User-Controlled Key: the ShadowAttributesController::add() action in app/Controller/ShadowAttributesController.php accepted the entire request payload under the ShadowAttribute key without scrubbing the id field before passing it to the model layer. ShadowAttributes represent community proposals to edit existing event attributes, so manipulation of these records subverts MISP's review/approval workflow that data-sharing communities rely on for integrity.

RemediationAI

Vendor-released patch: upgrade to MISP 2.5.38 or later, which adds an explicit unset($this->request->data['ShadowAttribute']['id']) in the add() controller action before the save operation, ensuring proposal submissions always create rather than update records (see https://github.com/MISP/MISP/commit/49911b1d4b6e4517d803e50e3d980aaa4d37c16d). If immediate upgrade is not feasible, operators can apply the one-line cherry-pick of that commit to ShadowAttributesController.php, or temporarily restrict shadow attribute submission privileges to highly trusted users via the MISP role permissions interface (this disables a core collaborative proposal workflow and is only suitable as a short-term measure). Enabling audit logging on the ShadowAttributes table and reviewing recent UPDATE operations on shadow_attributes for anomalous edits by accounts that should only be inserting is recommended to detect any pre-patch abuse; expect log volume to grow noticeably on active instances.

More in Misp

View all
CVE-2018-19908 HIGH POC
8.8 Dec 06

An issue was discovered in MISP 2.4.9x before 2.4.99. Rated high severity (CVSS 8.8), this vulnerability is remotely exp

CVE-2022-29528 CRITICAL POC
9.8 Apr 20

An issue was discovered in MISP before 2.4.158. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2022-48328 CRITICAL POC
9.8 Feb 20

app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_de

CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2022-29534 HIGH POC
7.5 Apr 20

An issue was discovered in MISP before 2.4.158. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab

CVE-2023-37306 HIGH POC
7.5 Jun 30

MISP 2.4.172 mishandles different certificate file extensions in server sync. Rated high severity (CVSS 7.5), this vulne

CVE-2021-41326 CRITICAL
9.8 Sep 17

In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. R

CVE-2018-12649 CRITICAL
9.8 Jun 22

An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. Rated critical severity (CVSS 9.8), this v

CVE-2020-15411 CRITICAL
9.8 Jun 30

An issue was discovered in MISP 2.4.128. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2020-29006 CRITICAL
9.8 Nov 24

MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyEleme

CVE-2021-35502 CRITICAL
9.8 Jun 25

app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data rel

CVE-2021-39302 CRITICAL
9.8 Aug 19

MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. Rated

Share

EUVD-2026-31151 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy