Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable controller, low-privileged authenticated user with subsystem permission, no UI; cross-organization tampering crosses a security scope (S:C) with high integrity impact, low availability from deletions, and no confidentiality impact described.
Primary rating from Vendor (CIRCL).
CVSS VectorVendor: CIRCL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could cause the application to authorize one object but mutate another, or could modify objects that were merely visible rather than editable by the user’s organization.
The affected paths included:
- Event Reports tag removal: the route-authorized report could differ from the report ID used for tag detachment, enabling cross-organization tag removal from another event report
- Collection Elements bulk deletion: bulk deletion authorized against a collection whose ID matched the collection-element row ID, rather than the element’s actual parent collection, enabling deletion of elements from collections the user did not own.
- Analyst Data capture/update: nested analyst data updates could overwrite an existing record without applying the normal canEditAnalystData ownership check, enabling cross-organization overwrite of analyst data records.
- Template Elements editing: editing authorized against a template whose ID matched the template-element ID, rather than the element’s actual parent template, enabling unauthorized edits to another organization’s template elements.
- Decaying Model editing and mappings: write paths loaded models using view-scope access but did not verify edit ownership, enabling users to edit or remap visible models owned by another organization.
Successful exploitation could allow an authenticated user with subsystem-specific permissions to perform unauthorized cross-organization modifications or deletions of MISP data, resulting in integrity loss, unauthorized tampering with shared intelligence, and disruption of analyst workflows.
AnalysisAI
Cross-organization data tampering in MISP (Malware Information Sharing Platform) core allows authenticated low-privileged users to modify or delete intelligence objects belonging to other organizations by exploiting broken access-control checks across Event Reports, Collection Elements, Analyst Data, Template Elements, and Decaying Models. The flaw stems from authorization being performed against the wrong entity ID or being entirely absent on write paths, enabling integrity attacks on shared threat intelligence. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated MISP account on the target instance with the subsystem-specific permission for the targeted action: perm_tagger for the Event Reports tag removal path, edit/modify rights for Collection Elements bulk deletion, analyst-data edit permission for the AnalystData capture/update path, template editing permission for Template Elements, and decaying-model edit permission for the DecayingModel paths. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 score of 7.1 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L) is plausible but appears skewed toward confidentiality (VC:H) when the described impact is overwhelmingly integrity-focused - cross-org data tampering, unauthorized edits, and deletions - so VI:H/VC:N would be a more accurate impact profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a legitimate user account on a shared MISP instance - for example, a partner organization in a sharing community - issues an authenticated POST to the Event Reports removeTag endpoint with a URL pointing to a report they can access but an embedded body 'EventReport.id' pointing to a different organization's report, causing tags to be stripped from intelligence they have no authority to modify. The same technique applied to Collection Elements bulk delete or Analyst Data updates lets the attacker silently delete or overwrite another organization's curated intelligence, poisoning the shared dataset and disrupting downstream analyst workflows. |
| Remediation | Upstream fix available (commits 24d7e91, 57ad774d, 3aecc04d, ba2f51fe, 744005ce on the MISP/MISP GitHub repository); a specific tagged patched release version was not provided in the input data, so operators should upgrade to the next MISP release that bundles these commits or cherry-pick them directly. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all MISP instances and document deployment versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m
Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe
Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin
Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to
Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o
Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u
LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers
Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu
Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to
Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio
OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38227
GHSA-r3v6-qw6x-wf6h