Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-exploitable with low complexity; requires authenticated editor-level access (PR:L); limited confidentiality and integrity impact; no availability impact.
Primary rating from Vendor (CIRCL).
CVSS VectorVendor: CIRCL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use.
An attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.
AnalysisAI
Sharing group authorization bypass in MISP's object add/edit workflow allows an authenticated user with object-editing permissions to assign objects and their contained attributes to sharing groups they are not authorized to access or view. The flaw stems from a structural data merging step in ObjectsController.php that silently relocates field keys, causing the sharing group validation check to evaluate a stale, already-removed data path and thus never fire. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be authenticated to the MISP instance and must possess object editing permissions - either granted directly or via a role that includes object add/edit rights. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.3 (Medium) is consistent with the limited blast radius: exploitation requires an authenticated session (PR:L) with pre-existing object editing permissions, and the confidentiality and integrity impacts are both Low (VC:L/VI:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated MISP user who holds object editing permissions but lacks access to a restricted sharing group crafts an HTTP POST request to the MISP object edit endpoint, setting distribution=4 and supplying an arbitrary sharing_group_id value in the request body. Because the field merge in ObjectsController.php causes the validation check to reference a stale data key that no longer exists, the sharing group authorization check is silently skipped and the object is saved with the unauthorized sharing group assignment. … |
| Remediation | The primary remediation is to update MISP to a version that includes commit 4fe48c523e66999d65f99fdec9508adb3aa1c0f3, which corrects the distribution field key reference in the edit() method and adds per-attribute sharing group validation via the new __validateAttributeSharingGroups() method. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m
Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe
Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin
Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to
Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o
Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u
LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers
Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu
Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to
Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio
OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36603
GHSA-27wx-pvwm-cfh2