Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible bypass requiring only authenticated access (PR:L); impact confined to low-integrity writes on MISP event data with no confidentiality or availability effect.
Primary rating from Vendor (5a6e4751-2f3f-4070-9419-94fb35b644e8).
CVSS VectorVendor: 5a6e4751-2f3f-4070-9419-94fb35b644e8
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
MISP’s importModule() path used getEnabledModule() to resolve a single import module by name, but this lookup did not enforce the per-organisation module restriction checked by getEnabledModules(). As a result, an authenticated user from an organisation that was not allowed to use a module restricted via Plugin.Import_<module>_restrict could still invoke that import module directly if they knew its name.
This could allow unauthorised access to restricted import-module functionality and, depending on the module and the user’s event permissions, may allow unauthorised import or modification of event data through a module that should have been unavailable to the user’s organisation.
AnalysisAI
Incorrect authorization in MISP versions through 2.5.42 allows authenticated users from restricted organizations to invoke import modules that their organization has been explicitly blocked from using via the Plugin.Import_<module>_restrict configuration. The importModule() function relied on getEnabledModule() - a single-module lookup that lacks per-organisation restriction awareness - rather than the restriction-enforcing getEnabledModules(), creating a logical bypass exploitable by any authenticated user who knows a restricted module's name. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid MISP user account (PR:L) whose organization has been explicitly restricted from one or more import modules via the Plugin.Import_<module>_restrict configuration setting - deployments that do not configure this restriction are not affected by this specific bypass. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.3 (Medium) reflects the balanced risk profile: network-reachable (AV:N) with low complexity (AC:L) and no required user interaction (UI:N), but gated behind authenticated access (PR:L) and producing only limited integrity impact (VI:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated MISP user belonging to an organization that has been restricted from using a sensitive import module - for example, one that can ingest data from an external threat feed or execute enrichment queries - identifies the module's internal name through MISP documentation or source code review. The user directly invokes the importModule() function via the MISP web interface or REST API, passing the module name; the restriction check is bypassed because getEnabledModule() does not consult the per-organisation access list. … |
| Remediation | Apply the upstream fix available at https://github.com/MISP/MISP/commit/0ed79b4d3177f4b9e44040962161a1a436d2587d, which corrects importModule() to enforce per-organisation restrictions consistently. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42241
GHSA-6vww-2wx8-q6x4