Skip to main content

MISP EUVDEUVD-2026-38231

| CVE-2026-56447 CRITICAL
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-06-22 CIRCL GHSA-834x-pvxg-xh58
9.3
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Network-reachable admin UI (AV:N/AC:L), requires site_admin (PR:H), no user interaction, code execution as MISP user breaks out of the application sandbox to the OS (S:C) with full CIA impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (CIRCL).

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 22, 2026 - 14:02 vuln.today
Analysis Generated
Jun 22, 2026 - 14:02 vuln.today

DescriptionCVE.org

MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as plugin.library.paths to load an external library, resulting in arbitrary code execution with the privileges of the MISP process. An attacker could leverage a MISP-writable location, such as an uploaded file or administrative image, to host the malicious configuration file.

The issue is fixed by restricting the setting to absolute .ini files located only in approved configuration directories outside the webroot and MISP upload targets.

AnalysisAI

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to load an attacker-controlled INI file, which is parsed and passed to rdkafka with options such as plugin.library.paths to load an arbitrary shared library. The flaw (CWE-829, inclusion of functionality from untrusted control sphere) yields code execution as the MISP process user; no public exploit identified at time of analysis, but a vendor patch is available.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Compromise or abuse site_admin account
Delivery
Upload malicious .so via MISP attachment/org-image
Exploit
Upload INI file referencing plugin.library.paths
Install
Set Kafka_rdkafka_config to INI path
C2
Trigger Kafka publish action
Execute
rdkafka dlopen() executes payload as MISP user
Impact
Persist and pivot from MISP host

Vulnerability AssessmentAI

Exploitation Requires an authenticated MISP site administrator account (the Server Settings UI/API is restricted to site_admin role) on a MISP instance where the Kafka_rdkafka_config setting is writable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 of 9.3 is driven by AV:N/AC:L with high confidentiality, integrity and subsequent-system impact, but PR:H is the key moderator - only a MISP site administrator can change server settings, so this is a privilege-escalation/persistence primitive rather than a perimeter-breaching RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A MISP site administrator (legitimate insider, or attacker who has phished/hijacked an admin session or API key) uploads a malicious shared library disguised as an attachment or organisation logo, then uploads a small INI file containing plugin.library.paths=/var/www/MISP/app/files/<id>/payload.so. They navigate to Administration → Server Settings, set Kafka_rdkafka_config to the INI file path, and trigger any Kafka-publishing action; rdkafka dlopen()s the payload and the attacker gains code execution as the www-data/apache user. …
Remediation Upstream fix is available as commit 9600d486ccfc98388e13897fd954350cebac5fb0 (https://github.com/MISP/MISP/commit/9600d486ccfc98388e13897fd954350cebac5fb0); upgrade to the first MISP release that incorporates this commit and verify that Server::testKafkaRdkafkaConfig (or the equivalent path validator) restricts the setting to absolute .ini files in approved configuration directories. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all MISP deployments and confirm current versions against vendor advisory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Misp

View all
CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2026-56423 CRITICAL
9.4 Jun 22

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe

CVE-2026-56422 CRITICAL
9.4 Jun 22

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2026-10868 CRITICAL
9.0 Jun 04

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o

CVE-2025-67906 CRITICAL
9.0 Dec 15

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u

CVE-2026-39962 HIGH
8.8 Apr 09

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers

CVE-2026-56446 HIGH
8.7 Jun 22

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu

CVE-2026-44380 HIGH
8.6 May 13

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to

CVE-2026-9136 HIGH
8.3 May 20

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio

CVE-2026-10611 HIGH
8.2 Jun 02

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot

CVE-2026-10860 HIGH
7.9 Jun 04

Authorization bypass in MISP versions through 2.5.38 lets authenticated users delete records via HTTP DELETE requests ev

Share

EUVD-2026-38231 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy