Broken access control in MISP core allows cross-organization unauthorized modification or deletion of analyst data, event reports, collections, templates, and decaying models

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-56424
StatePUBLISHED
AssignerCIRCL
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-06-22 14:17:50 UTC
Updated2026-06-22 17:50:45 UTC
DescriptionMISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could cause the application to authorize one object but mutate another, or could modify objects that were merely visible rather than editable by the user’s organization. The affected paths included: * Event Reports tag removal: the route-authorized report could differ from the report ID used for tag detachment, enabling cross-organization tag removal from another event report * Collection Elements bulk deletion: bulk deletion authorized against a collection whose ID matched the collection-element row ID, rather than the element’s actual parent collection, enabling deletion of elements from collections the user did not own. * Analyst Data capture/update: nested analyst data updates could overwrite an existing record without applying the normal canEditAnalystData ownership check, enabling cross-organization overwrite of analyst data records. * Template Elements editing: editing authorized against a template whose ID matched the template-element ID, rather than the element’s actual parent template, enabling unauthorized edits to another organization’s template elements. * Decaying Model editing and mappings: write paths loaded models using view-scope access but did not verify edit ownership, enabling users to edit or remap visible models owned by another organization.  Successful exploitation could allow an authenticated user with subsystem-specific permissions to perform unauthorized cross-organization modifications or deletions of MISP data, resulting in integrity loss, unauthorized tampering with shared intelligence, and disruption of analyst workflows.

Risk And Classification

Primary CVSS: v4.0 7.1 HIGH from 5a6e4751-2f3f-4070-9419-94fb35b644e8

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Problem Types: CWE-639 | CWE-862 | CWE-863 | CWE-639 CWE-639 Authorization Bypass Through User-Controlled Key | CWE-863 CWE-863 Incorrect Authorization | CWE-862 CWE-862 Missing Authorization

VersionSourceTypeScoreSeverityVector
4.05a6e4751-2f3f-4070-9419-94fb35b644e8Secondary7.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/C...
4.0CNACVSS7.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N

CVSS v4.0 Breakdown

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
None
Confidentiality
High
Integrity
Low
Availability
None
Sub Conf.
Low
Sub Integrity
None
Sub Availability
None

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Misp Misp affected 2.5.41 semver Not specified

References

ReferenceSourceLinkTags
github.com/MISP/MISP/commit/3aecc04d5816189412b589cf590c6dbe9a8db5c0 5a6e4751-2f3f-4070-9419-94fb35b644e8 github.com
github.com/MISP/MISP/commit/57ad774d21bd1863d060a9e6e73ae54eb96784ce 5a6e4751-2f3f-4070-9419-94fb35b644e8 github.com
github.com/MISP/MISP/commit/ba2f51fe7440ba2c6043ccde858cac1e25f96931 5a6e4751-2f3f-4070-9419-94fb35b644e8 github.com
github.com/MISP/MISP/commit/24d7e91339a3ef043652dd5799c36e5065b2bb4a 5a6e4751-2f3f-4070-9419-94fb35b644e8 github.com
github.com/MISP/MISP/commit/744005cefdc3b943bd29669c3b34cc66a5fc2154 5a6e4751-2f3f-4070-9419-94fb35b644e8 github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Andras Iklody (en)

CNA: Jeroen Pinoy (en)

CNA: Claude (the international export version) (en)

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report