Skip to main content

MISP EUVDEUVD-2026-36603

| CVE-2026-54398 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-12 CIRCL GHSA-27wx-pvwm-cfh2
5.3
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-exploitable with low complexity; requires authenticated editor-level access (PR:L); limited confidentiality and integrity impact; no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CIRCL).

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 12, 2026 - 22:21 vuln.today
Analysis Generated
Jun 12, 2026 - 22:21 vuln.today

DescriptionCVE.org

An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use.

An attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.

AnalysisAI

Sharing group authorization bypass in MISP's object add/edit workflow allows an authenticated user with object-editing permissions to assign objects and their contained attributes to sharing groups they are not authorized to access or view. The flaw stems from a structural data merging step in ObjectsController.php that silently relocates field keys, causing the sharing group validation check to evaluate a stale, already-removed data path and thus never fire. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to MISP with editor account
Delivery
Identify object edit API endpoint
Exploit
Craft request with distribution=4 and arbitrary sharing_group_id
Execution
Submit request bypassing sharing group validation
Persist
Observe response to enumerate restricted sharing group names
Impact
Reassign object/attribute distribution metadata to unauthorized sharing group

Vulnerability AssessmentAI

Exploitation The attacker must be authenticated to the MISP instance and must possess object editing permissions - either granted directly or via a role that includes object add/edit rights. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.3 (Medium) is consistent with the limited blast radius: exploitation requires an authenticated session (PR:L) with pre-existing object editing permissions, and the confidentiality and integrity impacts are both Low (VC:L/VI:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated MISP user who holds object editing permissions but lacks access to a restricted sharing group crafts an HTTP POST request to the MISP object edit endpoint, setting distribution=4 and supplying an arbitrary sharing_group_id value in the request body. Because the field merge in ObjectsController.php causes the validation check to reference a stale data key that no longer exists, the sharing group authorization check is silently skipped and the object is saved with the unauthorized sharing group assignment. …
Remediation The primary remediation is to update MISP to a version that includes commit 4fe48c523e66999d65f99fdec9508adb3aa1c0f3, which corrects the distribution field key reference in the edit() method and adds per-attribute sharing group validation via the new __validateAttributeSharingGroups() method. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Misp

View all
CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2026-56423 CRITICAL
9.4 Jun 22

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe

CVE-2026-56422 CRITICAL
9.4 Jun 22

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2026-56447 CRITICAL
9.3 Jun 22

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to

CVE-2026-10868 CRITICAL
9.0 Jun 04

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o

CVE-2025-67906 CRITICAL
9.0 Dec 15

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u

CVE-2026-39962 HIGH
8.8 Apr 09

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers

CVE-2026-56446 HIGH
8.7 Jun 22

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu

CVE-2026-44380 HIGH
8.6 May 13

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to

CVE-2026-9136 HIGH
8.3 May 20

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio

CVE-2026-10611 HIGH
8.2 Jun 02

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot

Share

EUVD-2026-36603 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy