Skip to main content

MISP EUVDEUVD-2026-38225

| CVE-2026-56422 CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-22 CIRCL GHSA-mf7v-x7r6-fq57
9.4
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.9 CRITICAL

Network-reachable REST endpoints (AV:N), any authenticated edit-capable user suffices (PR:L, AC:L), no UI; authorization bypass crosses tenant boundary so S:C, with full CIA impact on other orgs' data.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (CIRCL).

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 22, 2026 - 12:15 vuln.today
Analysis Generated
Jun 22, 2026 - 12:15 vuln.today
CVE Published
Jun 22, 2026 - 11:43 cve.org
CRITICAL 9.4

DescriptionCVE.org

Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object.

In affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user’s context.

The fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit() primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub’s patch for 7acf8220c describes this central issue as CRUDComponent::edit() copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save() to update an arbitrary row unless the loaded ID is re-pinned.

AnalysisAI

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to any one authorized object to overwrite, re-parent, or transfer ownership of objects belonging to other users or organizations by submitting crafted REST/form payloads containing attacker-chosen primary keys and ownership foreign keys. The root cause is CRUDComponent::edit() mass-assigning payload-supplied IDs (id, event_id, org_id, user_id, sharing_group_id, etc.) onto the already-loaded record, so CakePHP's save() updates a different row than the one the authorization check validated. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain authenticated MISP account
Delivery
Identify victim object IDs via API enumeration
Exploit
Craft REST payload with injected primary/foreign keys
Install
Submit to edit/import endpoint
C2
CRUDComponent mass-assigns IDs to save()
Execute
Victim row overwritten or re-parented
Impact
Poisoned intel propagates via federation

Vulnerability AssessmentAI

Exploitation Attacker must hold a valid authenticated MISP account with edit permission on at least one object on the target instance (the normal state for any MISP user, including federated sync users and low-privileged contributors); no admin role, no user interaction, and no special site configuration is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is high for any MISP instance with multiple users or organizations, because the prerequisite (any authenticated account with edit access to at least one object) is the normal state for every MISP user. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a low-privileged MISP user account on a federated instance, then issues a REST PUT/POST to an edit endpoint they are authorized to touch (e.g., editing one of their own events) while embedding a different organization's event_id or object id in the JSON body. MISP's CRUDComponent::edit() loads the attacker's authorized row, passes the check, then save()s the payload - including the injected primary key - overwriting or re-parenting the victim organization's object, transferring ownership, or scoping it to an attacker-controlled sharing group. …
Remediation Upstream fix available (commits, not a tagged release announced in the input); released patched version not independently confirmed - administrators should pull the listed MISP/MISP commits (starting with 7acf8220cafac58bcfb362da37aca512fe4bb396 and the 14 companion commits referenced in the CVE) or upgrade to the next MISP point release that incorporates them, per https://github.com/MISP/MISP/commit/7acf8220cafac58bcfb362da37aca512fe4bb396. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: verify no unauthorized object modifications in MISP audit logs and isolate any multi-tenant or shared MISP instances if patch cannot be applied immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Misp

View all
CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2026-56423 CRITICAL
9.4 Jun 22

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2026-56447 CRITICAL
9.3 Jun 22

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to

CVE-2026-10868 CRITICAL
9.0 Jun 04

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o

CVE-2025-67906 CRITICAL
9.0 Dec 15

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u

CVE-2026-39962 HIGH
8.8 Apr 09

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers

CVE-2026-56446 HIGH
8.7 Jun 22

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu

CVE-2026-44380 HIGH
8.6 May 13

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to

CVE-2026-9136 HIGH
8.3 May 20

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio

CVE-2026-10611 HIGH
8.2 Jun 02

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot

CVE-2026-10860 HIGH
7.9 Jun 04

Authorization bypass in MISP versions through 2.5.38 lets authenticated users delete records via HTTP DELETE requests ev

Share

EUVD-2026-38225 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy