Skip to main content

MISP EUVDEUVD-2026-42241

| CVE-2026-60125 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-08 5a6e4751-2f3f-4070-9419-94fb35b644e8 GHSA-6vww-2wx8-q6x4
5.3
CVSS 4.0 · Vendor: 5a6e4751-2f3f-4070-9419-94fb35b644e8
Share

Severity by source

Vendor (5a6e4751-2f3f-4070-9419-94fb35b644e8) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-accessible bypass requiring only authenticated access (PR:L); impact confined to low-integrity writes on MISP event data with no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (5a6e4751-2f3f-4070-9419-94fb35b644e8).

CVSS VectorVendor: 5a6e4751-2f3f-4070-9419-94fb35b644e8

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 15:27 vuln.today

DescriptionCVE.org

MISP’s importModule() path used getEnabledModule() to resolve a single import module by name, but this lookup did not enforce the per-organisation module restriction checked by getEnabledModules(). As a result, an authenticated user from an organisation that was not allowed to use a module restricted via Plugin.Import_<module>_restrict could still invoke that import module directly if they knew its name.

This could allow unauthorised access to restricted import-module functionality and, depending on the module and the user’s event permissions, may allow unauthorised import or modification of event data through a module that should have been unavailable to the user’s organisation.

AnalysisAI

Incorrect authorization in MISP versions through 2.5.42 allows authenticated users from restricted organizations to invoke import modules that their organization has been explicitly blocked from using via the Plugin.Import_<module>_restrict configuration. The importModule() function relied on getEnabledModule() - a single-module lookup that lacks per-organisation restriction awareness - rather than the restriction-enforcing getEnabledModules(), creating a logical bypass exploitable by any authenticated user who knows a restricted module's name. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege MISP user
Delivery
Identify restricted import module name via docs or source
Exploit
Call importModule() with module name directly
Execution
Bypass per-organisation check in getEnabledModule()
Persist
Invoke restricted import module
Impact
Import or modify MISP event data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid MISP user account (PR:L) whose organization has been explicitly restricted from one or more import modules via the Plugin.Import_<module>_restrict configuration setting - deployments that do not configure this restriction are not affected by this specific bypass. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (Medium) reflects the balanced risk profile: network-reachable (AV:N) with low complexity (AC:L) and no required user interaction (UI:N), but gated behind authenticated access (PR:L) and producing only limited integrity impact (VI:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated MISP user belonging to an organization that has been restricted from using a sensitive import module - for example, one that can ingest data from an external threat feed or execute enrichment queries - identifies the module's internal name through MISP documentation or source code review. The user directly invokes the importModule() function via the MISP web interface or REST API, passing the module name; the restriction check is bypassed because getEnabledModule() does not consult the per-organisation access list. …
Remediation Apply the upstream fix available at https://github.com/MISP/MISP/commit/0ed79b4d3177f4b9e44040962161a1a436d2587d, which corrects importModule() to enforce per-organisation restrictions consistently. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42241 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy