Skip to main content

MISP EUVDEUVD-2026-36549

| CVE-2026-54357 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-12 CIRCL GHSA-jfqf-9254-245v
5.1
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.5 MEDIUM

PR:H for required org-admin credentials; S:C because site admin accounts represent a distinct higher-privilege security scope; no availability impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (CIRCL).

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 12, 2026 - 20:03 vuln.today
Analysis Generated
Jun 12, 2026 - 20:03 vuln.today

DescriptionCVE.org

An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by organization membership but did not exclude higher-privileged site administrator users. As a result, an organization administrator could potentially view or alter site administrator user settings and related login profile information, crossing the intended privilege boundary between organization administration and site-wide administration.

The patch hardens the ACL logic by excluding site administrator accounts from organization administrator-managed user sets, adding explicit authorization failure when a target user is not administrable, and ensuring user setting and login profile operations fail closed.

AnalysisAI

Improper authorization in MISP permits an authenticated organization administrator to read or overwrite user settings and login profile data belonging to site administrator accounts that share the same organization. The ACL checks in UserLoginProfilesController, UserSettingsController, and the UserSetting model correctly scoped operations by org_id membership but failed to exclude users holding site-admin roles, allowing a lower-privileged admin to cross the intended privilege boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as org admin
Delivery
Enumerate co-located site admin user IDs
Exploit
Send settings or login-profile request targeting site admin ID
Execution
Bypass incomplete org_id-only ACL check
Impact
Read or overwrite site admin account metadata

Vulnerability AssessmentAI

Exploitation The attacker must hold an active, authenticated organization administrator account (perm_admin role, not perm_site_admin) within the MISP instance - unauthenticated users and regular non-admin users cannot exploit this flaw. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N, score 5.1) accurately characterizes the constrained real-world impact: the PR:H requirement limits the attacker population strictly to users already possessing organization administrator credentials, which is a meaningfully privileged position that should not exist in untrusted hands. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An org admin with valid credentials to a MISP instance where a site administrator shares the same organization enumerates user IDs belonging to site admins - discoverable via the user listing available to org admins - then queries the user settings or login profile endpoints using those IDs. The pre-patch ACL passes because org_id membership is satisfied, returning the site administrator's login profile metadata or user settings, or allowing the org admin to overwrite them. …
Remediation Apply the upstream patch at https://github.com/MISP/MISP/commit/ed3d9b862dea4c8c8e9b620a5ad99ce0c2c82154, which modifies UserLoginProfilesController.php, UserSettingsController.php, UserSetting.php, and User.php to exclude site-admin role holders from org-admin-managed user sets and enforce explicit authorization failures on unauthorized write attempts. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Misp

View all
CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2026-56423 CRITICAL
9.4 Jun 22

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe

CVE-2026-56422 CRITICAL
9.4 Jun 22

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2026-56447 CRITICAL
9.3 Jun 22

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to

CVE-2026-10868 CRITICAL
9.0 Jun 04

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o

CVE-2025-67906 CRITICAL
9.0 Dec 15

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u

CVE-2026-39962 HIGH
8.8 Apr 09

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers

CVE-2026-56446 HIGH
8.7 Jun 22

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu

CVE-2026-44380 HIGH
8.6 May 13

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to

CVE-2026-9136 HIGH
8.3 May 20

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio

CVE-2026-10611 HIGH
8.2 Jun 02

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot

Share

EUVD-2026-36549 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy