Skip to main content

MISP EUVDEUVD-2026-38227

| CVE-2026-56424 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-22 CIRCL GHSA-r3v6-qw6x-wf6h
7.1
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.5 HIGH

Network-reachable controller, low-privileged authenticated user with subsystem permission, no UI; cross-organization tampering crosses a security scope (S:C) with high integrity impact, low availability from deletions, and no confidentiality impact described.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N

Primary rating from Vendor (CIRCL).

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 14:00 vuln.today
Analysis Generated
Jun 22, 2026 - 14:00 vuln.today

DescriptionCVE.org

MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could cause the application to authorize one object but mutate another, or could modify objects that were merely visible rather than editable by the user’s organization.

The affected paths included:

  • Event Reports tag removal: the route-authorized report could differ from the report ID used for tag detachment, enabling cross-organization tag removal from another event report
  • Collection Elements bulk deletion: bulk deletion authorized against a collection whose ID matched the collection-element row ID, rather than the element’s actual parent collection, enabling deletion of elements from collections the user did not own.
  • Analyst Data capture/update: nested analyst data updates could overwrite an existing record without applying the normal canEditAnalystData ownership check, enabling cross-organization overwrite of analyst data records.
  • Template Elements editing: editing authorized against a template whose ID matched the template-element ID, rather than the element’s actual parent template, enabling unauthorized edits to another organization’s template elements.
  • Decaying Model editing and mappings: write paths loaded models using view-scope access but did not verify edit ownership, enabling users to edit or remap visible models owned by another organization.

Successful exploitation could allow an authenticated user with subsystem-specific permissions to perform unauthorized cross-organization modifications or deletions of MISP data, resulting in integrity loss, unauthorized tampering with shared intelligence, and disruption of analyst workflows.

AnalysisAI

Cross-organization data tampering in MISP (Malware Information Sharing Platform) core allows authenticated low-privileged users to modify or delete intelligence objects belonging to other organizations by exploiting broken access-control checks across Event Reports, Collection Elements, Analyst Data, Template Elements, and Decaying Models. The flaw stems from authorization being performed against the wrong entity ID or being entirely absent on write paths, enabling integrity attacks on shared threat intelligence. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain authenticated MISP account
Delivery
Enumerate cross-org object IDs
Exploit
Craft request with mismatched route and body IDs
Execution
Submit to vulnerable controller endpoint
Persist
Bypass ownership check via wrong-entity authorization
Impact
Tamper with or delete victim org's intelligence data

Vulnerability AssessmentAI

Exploitation Requires an authenticated MISP account on the target instance with the subsystem-specific permission for the targeted action: perm_tagger for the Event Reports tag removal path, edit/modify rights for Collection Elements bulk deletion, analyst-data edit permission for the AnalystData capture/update path, template editing permission for Template Elements, and decaying-model edit permission for the DecayingModel paths. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 score of 7.1 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L) is plausible but appears skewed toward confidentiality (VC:H) when the described impact is overwhelmingly integrity-focused - cross-org data tampering, unauthorized edits, and deletions - so VI:H/VC:N would be a more accurate impact profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a legitimate user account on a shared MISP instance - for example, a partner organization in a sharing community - issues an authenticated POST to the Event Reports removeTag endpoint with a URL pointing to a report they can access but an embedded body 'EventReport.id' pointing to a different organization's report, causing tags to be stripped from intelligence they have no authority to modify. The same technique applied to Collection Elements bulk delete or Analyst Data updates lets the attacker silently delete or overwrite another organization's curated intelligence, poisoning the shared dataset and disrupting downstream analyst workflows.
Remediation Upstream fix available (commits 24d7e91, 57ad774d, 3aecc04d, ba2f51fe, 744005ce on the MISP/MISP GitHub repository); a specific tagged patched release version was not provided in the input data, so operators should upgrade to the next MISP release that bundles these commits or cherry-pick them directly. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all MISP instances and document deployment versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Misp

View all
CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2026-56423 CRITICAL
9.4 Jun 22

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe

CVE-2026-56422 CRITICAL
9.4 Jun 22

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2026-56447 CRITICAL
9.3 Jun 22

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to

CVE-2026-10868 CRITICAL
9.0 Jun 04

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o

CVE-2025-67906 CRITICAL
9.0 Dec 15

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u

CVE-2026-39962 HIGH
8.8 Apr 09

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers

CVE-2026-56446 HIGH
8.7 Jun 22

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu

CVE-2026-44380 HIGH
8.6 May 13

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to

CVE-2026-9136 HIGH
8.3 May 20

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio

CVE-2026-10611 HIGH
8.2 Jun 02

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot

Share

EUVD-2026-38227 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy