Skip to main content

MISP Core EUVDEUVD-2026-38226

| CVE-2026-56423 CRITICAL
Missing Authorization (CWE-862)
2026-06-22 CIRCL GHSA-3vhv-jx5j-gj6p
9.4
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.6 CRITICAL

Network-reachable bulk endpoint, low complexity, requires a low-privileged authenticated user (perm_add); scope changes because one org's user destroys another org's data; no confidentiality loss, only integrity and availability.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H

Primary rating from Vendor (CIRCL).

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 14:00 vuln.today
Analysis Generated
Jun 22, 2026 - 14:00 vuln.today

DescriptionCVE.org

MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object.

For Event Reports, EventReportsController::deleteSelection relied on the global perm_add capability rather than a per-report ownership/authorization check. As a result, a contributor-level user could submit report IDs or UUIDs for reports belonging to other organisations and hard-delete them instance-wide. The fix changed the callback to call EventReport::fetchIfAuthorized($user, $itemId, 'delete') for each selected report before deletion.

For Sharing Groups, SharingGroupsController::deleteSelection relied on the global perm_sharing_group capability rather than verifying ownership of each selected sharing group. This allowed a sharing-group-capable user to hard-delete sharing groups owned by other organisations, bypassing the per-object ownership gate used by the single-object delete action. The fix changed the callback to call SharingGroup::checkIfOwner($user, $itemId) for each selected sharing group.

An authenticated attacker with the relevant broad role permission could abuse the affected bulk deletion endpoints to delete objects outside their organisation’s authorization scope, causing loss of event-report content or sharing-group configuration across the instance.

AnalysisAI

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or perm_sharing_group role flag hard-delete Event Reports and Sharing Groups belonging to other organisations across the entire instance. The flaw affects MISP threat-intelligence platform deployments and enables cross-tenant data destruction by contributor-level accounts; no public exploit identified at time of analysis, but the upstream patch commits are public and trivially reverse-engineerable.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as contributor with perm_add or perm_sharing_group
Delivery
Enumerate target Event Report or Sharing Group IDs/UUIDs from readable views
Exploit
POST list to deleteSelection endpoint
Execution
Server skips per-object ownership check
Persist
Cross-org objects hard-deleted instance-wide
Impact
Loss of threat-intel content and sharing configuration

Vulnerability AssessmentAI

Exploitation Attacker must hold an authenticated session on the target MISP instance with the perm_add role to abuse the Event Report bulk delete, or the perm_sharing_group role to abuse the Sharing Group bulk delete - both are non-admin, contributor-tier flags commonly granted to org members who author content. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Vendor CVSS 4.0 of 9.4 (AV:N/AC:L/AT:N/PR:L/UI:N with high VC/VI/VA and high SC/SI/SA) reflects that any low-privileged authenticated user can trigger network-reachable, low-complexity exploitation with cross-tenant impact, which justifies a Critical rating in a shared-tenant threat-intel platform where data integrity and availability are the primary value. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A contributor-level account on a shared community MISP instance (for example a sector ISAC or partner-shared deployment) enumerates Event Report IDs or UUIDs from feeds it can read, then issues a single POST to EventReportsController::deleteSelection with that list and hard-deletes other organisations' analyst reports instance-wide. The same account, if it also holds perm_sharing_group, can iterate Sharing Group IDs and wipe distribution configurations belonging to other orgs, breaking ongoing intelligence sharing.
Remediation Upstream fix available (commits ada02fa6d7558732aa4712fd5e9451cd8c5b7a64 and f99b3f16ef22c7acf10e17036c777759cf031c15); a released patched version is not independently confirmed in the supplied data, so upgrade to the latest MISP Core release that includes both commits via the standard MISP update procedure (git pull on the MISP working tree or your distribution package). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all MISP Core instances and document current software versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Misp

View all
CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2026-56422 CRITICAL
9.4 Jun 22

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2026-56447 CRITICAL
9.3 Jun 22

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to

CVE-2026-10868 CRITICAL
9.0 Jun 04

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o

CVE-2025-67906 CRITICAL
9.0 Dec 15

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u

CVE-2026-39962 HIGH
8.8 Apr 09

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers

CVE-2026-56446 HIGH
8.7 Jun 22

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu

CVE-2026-44380 HIGH
8.6 May 13

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to

CVE-2026-9136 HIGH
8.3 May 20

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio

CVE-2026-10611 HIGH
8.2 Jun 02

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot

CVE-2026-10860 HIGH
7.9 Jun 04

Authorization bypass in MISP versions through 2.5.38 lets authenticated users delete records via HTTP DELETE requests ev

Share

EUVD-2026-38226 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy